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FOREWORD 


Several  years  ago,  as  the  primary  focus  of  U.S. 
military  strategy  shifted  to  the  western  Pacific  re¬ 
gion,  many  respected  authorities  began  to  question 
the  relevance  of  the  North  Atlantic  Treaty  Organiza¬ 
tion  (NATO)  in  modern  world  events.  More  recent 
events,  such  as  the  Russian  Federation's  annexation 
of  Crimea,  have  given  policy  makers  pause  to  ques¬ 
tion  the  wisdom  of  anticipated  force  cuts  in  Europe. 
Amidst  this  turmoil,  the  staffs  of  U.S.  European  Com¬ 
mand  and  U.S.  Army  Europe  have  been  establishing 
and  refining  their  capabilities  to  conduct  military 
operations  in  and  through  the  cyberspace  realm. 

If  indeed  the  decision  is  made  to  pursue  military 
action  in  cyberspace,  what  capabilities  are  available 
within  NATO  forces  to  accomplish  such  activities? 
What  organization,  doctrine,  and  methods  would 
guide  operators  who  perform  such  actions?  In  this 
monograph,  Mr.  Jeffrey  Caton  explores  these  ques¬ 
tions  within  the  broader  context  of  the  continued 
evolution  of  the  NATO  Alliance.  He  argues  that  the 
overall  state  of  cyberspace  activities  within  NATO  ap¬ 
pears  to  be  sound  and  that  continued  resourcing  for, 
and  pursuit  of,  improved  cyberspace  capabilities  by 
U.S.  military  forces  in  Europe  will  help  to  ensure  the 
steady  progress  of  NATO  cyberspace  endeavors. 


DOUGLAS  C.  LOVELACE,  JR. 
Director 

Strategic  Studies  Institute  and 
U.S.  Army  War  College  Press 
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SUMMARY 


The  development  of  cyberspace  defense  capa¬ 
bilities  for  the  North  Atlantic  Treaty  Organization 
(NATO)  has  been  making  steady  progress  since  its  for¬ 
mal  introduction  at  the  North  Atlantic  Council  Prague 
Summit  in  2002.  Bolstered  by  numerous  cyber  attacks 
such  as  those  in  Estonia  in  2007,  Alliance  priorities 
were  formalized  in  subsequent  NATO  cyber  defense 
policies  that  were  adopted  in  2008,  2011,  and  2014. 
This  monograph  examines  the  past  and  current  state 
of  NATO's  cyberspace  defense  efforts  by  assessing  the 
appropriateness  and  sufficiency  of  them  to  address 
anticipated  threats  to  member  countries,  including  the 
United  States.  This  analysis  focuses  on  the  recent  his¬ 
tory  of  NATO's  cyberspace  defense  efforts  and  how 
changes  in  NATO's  strategy  and  policy  writ  large  em¬ 
brace  the  emerging  nature  of  cyberspace  for  military 
forces,  as  well  as  other  elements  of  power.  In  general, 
the  topics  presented  herein  are  well  documented  in 
many  sources.  Thus,  this  monograph  serves  as  a  prim¬ 
er  for  current  and  future  operations  and  provides  se¬ 
nior  policymakers,  decision-makers,  military  leaders, 
and  their  respective  staffs  with  an  overall  apprecia¬ 
tion  of  existing  capabilities  as  well  as  the  challenges, 
opportunities,  and  risks  associated  with  cyberspace- 
related  operations  in  the  NATO  context.  The  scope 
of  this  discussion  is  limited  to  unclassified  and  open 
source  information;  any  classified  discussion  must 
occur  within  another  venue. 

This  monograph  has  three  main  sections: 

•  NATO  Cyberspace  Capability:  Strategy  and 
Policy.  This  section  examines  the  evolution  of 
the  strategic  foundations  of  NATO  cyber  activi¬ 
ties,  policies,  and  governance  as  they  evolved 
over  the  past  13  years.  It  analyzes  the  content  of 


XI 


the  summit  meetings  of  the  NATO  North  Atlan¬ 
tic  Council  for  material  related  to  cyber  defense. 
It  also  summarizes  the  evolution  of  NATO 
formal  cyber  defense  policy  and  governance 
since  2002. 

•  NATO  Cyberspace  Capability:  Military  Focus. 
NATO  cyber  defense  mission  areas  include 
NATO  network  protection,  shared  situational 
awareness  in  cyberspace,  critical  infrastructure 
protection  (CIP),  counter-terrorism,  support  to 
member  country  cyber  capability  development, 
and  response  to  crises  related  to  cyberspace. 
This  section  explores  these  mission  areas  by 
examining  the  operations  and  planning,  doc¬ 
trine  and  methods,  and  training  and  exercises 
related  to  NATO  military  cyberspace  activities. 

•  Key  Issues  for  Current  Policy.  The  new  En¬ 
hanced  Cyber  Defence  Policy  affirms  the  role 
that  NATO  cyber  defense  contributes  to  the 
mission  of  collective  defense  and  embraces 
the  notion  that  a  cyber  attack  may  lead  to 
the  invocation  of  Article  5  actions  for  the  Al¬ 
liance.  Against  this  backdrop,  this  section  ex¬ 
amines  the  related  issues  of  offensive  cyber¬ 
space,  deterrence  in  and  through  cyberspace, 
legal  considerations,  and  cooperation  with  the 
European  Union. 

This  monograph  concludes  with  a  summary  of  the 
main  findings  from  the  discussion  of  NATO  cyber¬ 
space  capabilities  and  a  brief  examination  of  the  im¬ 
plications  for  Department  of  Defense  and  Army  forces 
in  Europe.  Please  note  that  the  European  spelling  of 
some  words  (e.g.,  defence)  may  be  used  throughout 
this  monograph  to  ensure  the  accuracy  of  NATO 
organizational  and  operational  titles. 
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NATO  CYBERSPACE  CAPABILITY: 
A  STRATEGIC  AND  OPERATIONAL 
EVOLUTION 


INTRODUCTION 

The  development  of  cyberspace  defense  capa¬ 
bilities  for  the  North  Atlantic  Treaty  Organization 
(NATO)  has  been  making  steady  progress  since  its  for¬ 
mal  introduction  at  the  North  Atlantic  Council  Prague 
Summit  in  2002.  Bolstered  by  numerous  cyber  attacks 
such  as  those  in  Estonia  in  2007,  Alliance  priorities 
were  formalized  in  subsequent  NATO  cyber  policies 
that  were  adopted  in  2008,  2011,  and  2014.  This  mono¬ 
graph  examines  the  past  and  current  state  of  NATO's 
cyberspace  defense  efforts  by  assessing  the  appropri¬ 
ateness  and  sufficiency  of  them  to  address  anticipated 
threats  to  member  countries,  including  the  United 
States.  This  analysis  focuses  on  the  recent  history  of 
NATO's  cyberspace  defense  efforts,  and  how  changes 
in  NATO's  strategy  and  policy  writ  large  embrace  the 
emerging  nature  of  cyberspace  for  military  forces  as 
well  as  other  elements  of  power.  In  general,  the  topics 
presented  herein  are  well  documented  in  many  sourc¬ 
es.  Thus  this  monograph  serves  as  a  primer  for  current 
and  future  operations  to  provide  senior  policymakers, 
decision-makers,  military  leaders,  and  their  respective 
staffs  with  an  overall  appreciation  of  existing  capabili¬ 
ties  as  well  as  the  challenges,  opportunities,  and  risks 
associated  with  cyberspace-related  operations  in  the 
NATO  context. 
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NATO  CYBERSPACE  CAPABILITY: 
STRATEGY  AND  POLICY 


The  founding  principles  of  NATO  were  the  col¬ 
lective  defense,  crisis  management,  and  cooperative 
security  amongst  its  member  countries.  Conceived  in 
a  Cold  War  environment,  the  Alliance  has  endured 
strategic  changes  through  major  conflicts  and  the 
global  power  shifts  that  eventually  led  to  the  fall  of 
the  Warsaw  Pact.  After  a  brief  period  where  some 
pundits  questioned  its  relevancy,  NATO  has  experi¬ 
enced  a  renaissance  of  its  core  security  functions  with 
the  adoption  of  a  new  Strategic  Concept  in  2010.  This 
section  examines  the  recent  evolution  of  the  strategic 
foundations  of  NATO  cyber  activities,  policies,  and 
governance  as  they  evolved  over  the  past  13  years. 

Cyberspace  Addressed  in  Major  Accords. 

The  2002  NATO  North  Atlantic  Council  (NAC) 
Summit  in  Prague,  Czech  Republic  marked  the  entry 
of  cyber  defense  as  a  significant  issue  worthy  of  the 
collective  attention  of  the  Alliance.1  Leaders  at  the 
summit  directed  the  creation  of  a  technical  NATO  cy¬ 
ber  defense  program  that  included  the  establishment 
of  the  NATO  Computer  Incident  Response  Capability 
(NCIRC).2 

While  work  on  cyber  defense  progressed,  there 
was  no  mention  of  it  in  a  NAC  summit  again  until  the 
2006  meeting  in  Riga,  Latvia.  Table  1  summarizes  the 
key  strategic-level  content  from  NATO  summit  meet¬ 
ings  held  over  the  past  decade  (see  the  Appendix  for 
the  verbatim  excerpts  of  cyber-related  content  from 
these  meetings). 
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NATO  North 
Atlantic  Council 
Summit  Meeting 

Key  Strategic  Cyberspace-Related  Issues 
in  Summit  Declaration 

Riga,  Latvia 
November  29, 

2006 

•  Endorsed  work  to  develop  a  NATO  Network 
Enabled  Capability  to  share  information  in 
Alliance  operations  and  improve  protection 
against  cyber  attack.3 

Bucharest, 

Hungary 

April  3,  2008 

•  Adopted  an  initial  Policy  on  Cyber  Defense 
and  development  of  supporting  structures  and 
authorities  to  implement  it.4 

Strasbourg-Kehl, 
France/Germany 
April  2-3,  2009 

•  Established  a  NATO  Cyber  Defence  Manage¬ 
ment  Authority  (CDMA). 

•  Improved  the  existing  Computer  Incident 
Response  Capability. 

•  Activated  the  Cooperative  Cyber  Defence 

Centre  of  Excellence  (CCD  COE)  in  Estonia.5 

Lisbon,  Portugal 
November  20, 

2010 

•  Called  for  an  updated  NATO  in-depth  cyber 
defense  policy  by  June  201 1  as  well  as  a 
supporting  action  plan. 

•  Accelerated  goal  of  NATO  Computer  Incident 
Response  Capability  (NCIRC)  to  Full  Opera¬ 
tional  Capability  (FOC)  by  2012. 

•  Called  for  all  NATO  bodies  to  be  under  cen¬ 
tralized  cyber  protection. 

•  Use  NATO’s  defense  planning  processes  to 
develop  Allies’  cyber  defense  capabilities  and 
improve  interoperability. 

•  Work  closely  with  other  actors,  such  as  the 
United  Nations  (UN)  and  the  European  Union 
(EU).5 

Table  1.  Key  Cyber  Issues  at  Recent  NATO 
North  Atlantic  Council  Summit  Meetings. 
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NATO  North 
Atlantic  Council 
Summit  Meeting 

Key  Strategic  Cyberspace-Related  Issues 
in  Summit  Declaration 

Chicago,  Illinois, 
USA 

May  20,  2012 

•  Confirmed  adoption  of  a  new  Cyber  Defence 
Concept,  Policy,  and  Action  Plan. 

•  Reiterated  efforts  to  improve  NATO  capabili¬ 
ties  and  planning  to  address  cyber  attacks  by 
continuing  to  pursue  centralized  cyber  protec¬ 
tion  of  NATO  bodies;  integrate  cyber  defense 
into  Alliance  structures  and  procedures  and 
strengthen  Alliance  collaboration  and  interop¬ 
erability.7 

Newport,  Wales, 

UK 

September  5,  2014 

•  Endorsed  an  Enhanced  Cyber  Defence  Policy. 

•  Reaffirmed  ongoing  efforts  to  improve  NATO 
capabilities  and  planning  to  address  cyber 
attacks  through  new  initiatives  with  industry; 
with  cyber  defense  education,  training,  and 
exercise  activities;  and  with  a  cyber  range 
capability.8 

Table  1.  Key  Cyber  Issues  at  Recent  NATO 
North  Atlantic  Council  Summit  Meetings,  (cont.) 


The  2009  Annual  Session  of  the  NATO  Parliamen¬ 
tary  Assembly  included  a  report,  "NATO  and  Cyber 
Defence,"  that  provided  an  in-depth  review  of  the  key 
issues  faced  by  the  Alliance  in  the  cyberspace  realm. 
The  report's  conclusion  characterized  the  urgent  need 
for  NATO  cyber  defense: 

All  indications  signal  that  cyber  attacks  are  now  one  of 
the  most  serious  asymmetric  threats  faced  by  the  Alli¬ 
ance  and  its  member  states,  along  with  terrorism  and 
nuclear  proliferation.  The  open  nature  of  the  Internet 
makes  preventing  cyber  attacks  difficult;  effective 
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international  cooperation  will  be  critical  to  addressing 
this  problem  in  the  years  to  come.  As  the  world's  pre¬ 
mier  collective  defence  entity,  NATO  has  a  responsi¬ 
bility  to  take  adequate  measures  to  protect  itself  from 
such  threats,  as  well  as  having  a  potentially  significant 
role  to  play  in  contributing  to  the  cyber  defence  of  its 
Members,  both  through  deterrence  and  by  coordinat¬ 
ing  common  cyber  security  measures.  NATO's  new 
strategic  concept  should  reflect  this  important  new  el¬ 
ement  of  Alliance  activity.  National  parliamentarians 
have  an  important  role  to  play  in  hastening  the  imple¬ 
mentation  of  NATO's  cyber  defence  policy,  as  well  as 
ensuring  that  cyber  security  measures  are  responsibly 
put  in  place  and  exercised  at  the  domestic  level.9 

A  significant  outcome  of  the  2010  Lisbon  Summit 
was  the  adoption  of  a  new  NATO  Strategic  Concept: 
"Active  Engagement,  Modern  Defence."10  This  official 
document  describes  NATO's  enduring  purpose,  fun¬ 
damental  security  tasks,  and  anticipated  security  en¬ 
vironment.  It  also  provides  guidance  on  how  military 
forces  should  adapt  to  implement  the  new  concept. 
There  have  been  only  six  previous  Strategic  Concepts, 
the  first  four  of  which  were  classified  documents  that 
reflected  the  evolution  of  NATO  throughout  the  Cold 
War  and  addressed  issues  such  as  the  doctrines  of 
massive  retaliation  and  flexible  response  for  nuclear 
weapons.  Strategic  Concepts  in  1991  and  1999  ad¬ 
dressed  the  emerging  challenges  of  a  post-Cold  War 
geopolitical  environment.11 

"Active  Engagement,  Modern  Defence"  is  focused 
on  three  essential  core  tasks:  collective  defense,  crisis 
management,  and  cooperative  security.12  Its  section 
describing  "The  Security  Environment"  includes  a 
paragraph  that  states,  "cyber  attacks  are  becom¬ 
ing  more  frequent,  more  organized  and  more  costly 
in  damage"  to  governments  and  industries  in  the 
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alliance.  It  also  notes  that  such  attacks  may  not  only 
come  from  foreign  militaries,  but  also  from  "orga¬ 
nized  criminals,  terrorists  and/ or  extremist  groups."13 
The  Strategic  Concept's  section  on  "Defence  and  De¬ 
terrence"  outlines  the  scope  of  military  capabilities 
required  by  NATO  to  cope  with  challenges  such  as 
nuclear  operations,  ballistic  missile  defense,  expedi¬ 
tionary  operations,  counter-terrorism  measures,  and 
energy  security.  It  also  explicitly  mentions  the  broad 
areas  of  capability  required  to  confront  cyber  attacks: 

We  will  ensure  that  NATO  has  the  full  range  of  ca¬ 
pabilities  necessary  to  deter  and  defend  against  any 
threat  to  the  safety  and  security  of  our  populations. 
Therefore,  we  will. .  .develop  further  our  ability  to  pre¬ 
vent,  detect,  defend  against  and  recover  from  cyber¬ 
attacks,  including  by  using  the  NATO  planning  pro¬ 
cess  to  enhance  and  coordinate  national  cyber-defence 
capabilities,  bringing  all  NATO  bodies  under  central¬ 
ized  cyber  protection,  and  better  integrating  NATO 
cyber  awareness,  warning  and  response  with  member 
nations.14 

Cyber  Policy  and  Governance. 

An  initial  NATO  Cyber  Defence  Policy  was  adopt¬ 
ed  at  the  2008  NATO  NAC  Summit  in  Bucharest.  The 
policy  was  then  updated  after  the  2010  Lisbon  Sum¬ 
mit  and  again  after  the  2014  Wales  Summit.  Table  2 
summarizes  the  key  tenets  of  each  of  these  policies. 
The  2008  version  provided  some  of  the  foundational 
elements  for  future  policies  and  began  the  process  of 
centralizing  NATO  cyber  efforts  through  institutions 
such  as  the  Cyber  Defence  Management  Authority 
(CDMA).  The  CDMA  mission  was  "to  initiate  and  co¬ 
ordinate  cyber  defenses,  review  capabilities,  and  con¬ 
duct  appropriate  risk  management."15 
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The  2011  NATO  Cyber  Defence  Policy  followed 
the  adoption  of  the  new  NATO  Strategic  Concept  and 
thus  focused  on  methods  to  further  NATO's  collective 
ability  "to  prevent,  detect,  defend  against  and  recover 
from  cyber-attacks."16  It  also  established  a  cyber  de¬ 
fense  governance  with  a  hierarchy  that  flowed  from 
the  NAC  to  the  Defence  Policy  and  Planning  Com¬ 
mittee  in  Reinforced  Format,  then  to  the  NATO  Cyber 
Defence  Management  Board  (CDMB),  and  finally  to 
the  NCIRC.17 


Year 

Key  Tenets  of  NATO  Cyber  Policy 

2008 

•  Emphasize  protection  of  key  information  systems. 

•  Share  best  practices  for  cyber  defence. 

•  Develop  capability  to  assist  Allied  nations,  upon  request,  to 
counter  cyber  attack. 

•  Develop  NATO’s  cyber  defence  capabilities. 

•  Strengthen  linkage  between  NATO  and  national  authorities.18 

2011 

•  Integrate  cyber  defence  considerations  into  NATO  structures 
and  planning  processes  in  order  to  perform  NATO’s  core  tasks 
of  collective  defence  and  crisis  management. 

•  Focus  on  prevention,  resilience,  and  defence  of  critical  cyber 
assets  to  NATO  and  Allies. 

•  Develop  robust  cyber  defence  capabilities  and  centralize  pro¬ 
tection  of  NATO’s  own  networks. 

•  Develop  minimum  requirements  for  cyber  defence  of  national 
networks  critical  to  NATO’s  core  tasks. 

•  Provide  assistance  to  the  Allies  to  achieve  a  minimum  level 
of  cyber  defence  and  reduce  vulnerabilities  of  national  critical 
infrastructures. 

•  Engage  with  partners,  international  organizations,  the  private 
sector  and  academia.19 

Table  2.  Key  Tenets  of  NATO  Cyber  Defence 
Policy  Versions. 
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Year 

Key  Tenets  of  NATO  Cyber  Policy 

2014 

•  Reaffirms  the  principles  of  the  indivisibility  of  Allied  security 
and  of  prevention,  detection,  resilience,  recovery,  and  defence. 

•  Recalls  that  the  fundamental  cyber  defense  responsibility  of 
NATO  is  to  defend  its  own  networks. 

•  Emphasizes  responsibility  of  Allies  to  develop  relevant  capabili¬ 
ties  for  protection  of  their  national  networks. 

•  Recognizes  that  international  law  applies  in  cyberspace. 

•  Affirms  that  cyber  defence  is  part  of  NATO’s  core  task  of  col¬ 
lective  defense  under  Article  5.20 

Table  2.  Key  Tenets  of  NATO  Cyber  Defence 
Policy  Versions,  (cont.) 


The  2014  NATO  Enhanced  Cyber  Defence  Policy 
refines  cyber  governance  processes  and  formerly  ties 
cyber  to  the  traditional  NATO  core  task  of  collective 
defense.  However,  it  also  clarifies  that  NATO  cyber 
defense  exists  primarily  to  defend  its  own  networks 
and  thus  individual  member  countries  are  expected 
to  defend  their  own  national  networks.  It  also  pro¬ 
mulgates  the  view  that  international  law  applies  to 
cyberspace.21  The  governance  maintains  the  NAC  is 
the  body  that  provides  strategic-level  oversight  and 
"exercises  principal  authority  in  cyber  defence-related 
crisis  management."22  Other  key  elements  of  NATO 
cyber  governance  include: 

The  Cyber  Defence  Committee  (formerly  the  Defence 
Policy  and  PlanningCommittee/  Cyber  Defence),  sub¬ 
ordinate  to  the  NAC,  is  the  lead  committee  for  politi¬ 
cal  governance  and  cyber  defence  policy  in  general, 
providing  oversight  and  advice  to  Allied  countries  on 
NATO's  cyber  defence  efforts  at  the  expert  level.  At 
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the  working  level,  the  NATO  Cyber  Defence  Manage¬ 
ment  Board  (CDMB)  is  responsible  for  coordinating 
cyber  defence  throughout  NATO  civilian  and  military 
bodies.  The  CDMB  comprises  the  leaders  of  the  policy, 
military,  operational  and  technical  bodies  in  NATO 
with  responsibilities  for  cyber  defence.23 

However,  how  would  this  governance  process  be 
applied  to  determine  the  appropriate  response  to  any 
perceived  aggression  in  cyberspace  against  NATO 
or  one  of  the  Alliance  members?  According  to  Jason 
Healey  and  Klara  Tothova  Jordan  of  the  Atlantic 
Council's  Cyber  Statecraft  Initiative,  "This  process  for 
engagement  begins  at  the  technical  level.  If  an  inci¬ 
dent  has  political  implications,  NATO's  cyber  defense 
efforts  get  elevated  from  the  NCIRC  to  the  CDMB 
and  CDC  [Cyber  Defence  Committee]  through  to  the 
NAC."24  The  NAC  would  determine  the  appropriate 
level  of  response,  which  could  include  invoking  col¬ 
lective  defense  through  Article  5  of  the  NATO  Char¬ 
ter,  although  this  is  considered  unlikely  unless  there 
is  significant  physical  damage  or  deaths  involved.25 
Within  the  constructs  of  international  law,  the  NATO 
charter,  and  the  United  Nations  charter  there  remains 
general  ambiguity  as  to  exactly  how  an  incident  in 
cyberspace  may  be  considered  an  act  of  war.26  If  in¬ 
deed  the  decision  is  made  to  pursue  military  action  in 
the  cyberspace  realm,  what  capabilities  are  available 
within  NATO  forces  to  accomplish  this? 

NATO  CYBERSPACE  CAPABILITY:  MILITARY 
FOCUS 

In  a  June  2013  blog  article,  General  Philip  Breed¬ 
love,  Supreme  Allied  Commander  Europe  (SACEUR), 
promulgated  the  need  for  NATO  forces  to  fully 
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embrace  and  integrate  cyber  defense  into  their  opera¬ 
tions.  Noting  that  NATO  had  endured  over  2,500  cy¬ 
ber  attacks  in  its  networks  during  2012,  he  declared 
the  threat  to  be  significant  enough  to  drive  upgrades 
in  incident  response  capability. 

The  idea  is  simple  and  as  old  as  the  alliance.  Whether 
the  threat  comes  from  the  barrel  of  a  gun  or  from  a 
high  speed  internet  connection,  you're  not  alone  when 
your  security  is  threatened.  The  destructive  conse¬ 
quences  of  a  cyber  attack  can  be  just  as  devastating  as 
the  aftermath  of  a  conventional  attack  and  so  we  as  a 
military  alliance  must  be  prepared  with  appropriate 
response  options.27 

Consistent  with  its  current  Cyber  Defence  Policy, 
NATO's  top  priority  is  to  protect  its  own  communi¬ 
cations  and  information  systems  (CIS)  that  support 
alliance  military  operations.28  NATO  also  has  several 
major  supporting  mission  areas  that  include  shared 
situational  awareness  in  cyberspace,  critical  infrastruc¬ 
ture  protection  (CIP),  critical  information  infrastruc¬ 
ture  protection  (CUP),  counter-terrorism,  support  to 
member  countries  cyber-capability  development,  and 
response  to  crises  related  to  cyberspace.  To  explore 
these  mission  areas,  let  us  examine  the  operations  and 
planning,  doctrine  and  methods,  and  training  and  ex¬ 
ercises  related  to  NATO  military  cyberspace  activities. 

Operations  and  Planning. 

As  the  NAC  provides  policy  and  strategic  guid¬ 
ance,  and  NATO  Headquarters  committees  provide 
governance.  Allied  Command  Operations  (ACO)  pro¬ 
vides  the  planning  and  execution  of  all  alliance  opera¬ 
tions.  ACO  operates  at  strategic,  operational,  and  tac- 
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tical  levels  to  achieve  its  primary  mission  of  ensuring 
integrity  of  Alliance  territory  as  well  as  supporting 
missions  that  may  require  deployment  outside  this 
area.  Strategic  level  operations  are  directed  within 
the  Supreme  Headquarters  Allied  Powers  Europe 
(SHAPE)  located  in  Mons,  Belgium.  Operational  level 
operations  rely  on  standing  Joint  Force  Commands  in 
Brunssum,  the  Netherlands  (JFCBS)  and  in  Naples,  It¬ 
aly  (JFCNP)  which  operate  in  a  similar  manner  as  U.S. 
joint  forces  in  that  they  may  conduct  operations  from 
their  permanent  location  or  from  a  headquarters  de¬ 
ployed  to  the  theater  of  operations.  Tactical  level  oper¬ 
ations  are  directed  by  three  domain-based  commands: 
Headquarters  Allied  Land  Command  (HQ  LAND- 
COM)  in  Izmir,  Turkey,  Headquarters  Allied  Maritime 
Command  (HQ  MARCOM)  in  Northwood,  U.K.,  and 
Headquarters  Allied  Air  Command  (HQ  AIRCOM)  in 
Ramstein,  Germany.  Support  of  operational  command 
and  control  comes  from  the  CIS  Group  headquartered 
in  Mons,  Belgium,  with  signal  battalions  in  Germany, 
Italy,  and  Poland.29  The  force  structure  is  organized  in 
three  broad  categories,  which  are  in  decreasing  order 
of  readiness  level:  in-place  forces,  deployable  forces, 
and  long  term  build  up  forces.30 

The  organization  of  NATO  cyber  operations  fol¬ 
lows  a  similar  paradigm.  Strategic-level  cyber  de¬ 
fense  and  situational  awareness  occurs  at  ACO  and 
operational-level  cyber  activities  occur  at  the  JFCs, 
tactical  commands,  and  CIS  Group. 31  Tactical-level 
cyber  situational  awareness  is  primarily  provided  by 
the  NATO  Communications  and  Information  Agency 
(NCI  Agency),  an  agency  established  in  July  2012  as 
a  merger  of  more  than  five  separate  NATO  entities  to 
help  achieve  unity  of  effort.32  NCI  Agency  supports 
routine  daily  ACO  operations  and  during  crisis  re¬ 
sponse  ACO  prioritizes  the  NCI  Agency  efforts.  While 


11 


the  NCI  Agency  primary  mission  is  to  connect  and 
defend  Alliance  networks,  it  also  assists  NATO  and 
Partner  Nations  develop  interoperable  communica¬ 
tion  and  information  capabilities.33 

To  provide  NATO  with  constant  and  integrated 
cyber  defense  coverage,  the  NCI  Agency  operates 
technical  elements  of  the  NCIRC.34  Initially  envisioned 
in  the  2002  Prague  Summit  to  be  "the  Alliance's  'first 
responders'  to  prevent,  detect,  and  respond  to  cyber 
incidents,"35  the  NCIRC  developed  its  initial  capa¬ 
bilities  between  2003  and  2006  and  then  continued  to 
evolve  in  both  its  capacity  and  capability.36  The  term 
"full  operational  capability  (FOC)"  has  been  applied 
to  the  NCIRC  in  several  contexts.  For  example,  the 
2010  Lisbon  and  2012  Chicago  summits  pushed  for 
FOC  by  the  end  of  2012.  As  noted  by  one  of  the  key 
project  managers,  '"full  operational  capability'  is  per¬ 
haps  a  misnomer  —  cyberthreats  are  constantly  evolv¬ 
ing,  and  we  [NATO]  will  never  have  a  final  or  full 
capability."37  Capabilities  have  improved  steadily  as 
the  NCIRC  FOC  was  implemented  in  planned  incre¬ 
ments.38  The  FOC  achieved  in  May  2014  at  a  cost  of  €58 
million  (U.S.  $74.5  million)  now  provides  improved 
cyber  protection  of  55  NATO  sites  worldwide.39 

Part  of  the  NCIRC  FOC  Project  was  the  establish¬ 
ment  of  a  rapid  reaction  team  (RRT)  capability  by  the 
end  of  2012.  The  RRT  capability  consists  of  a  perma¬ 
nent  core  of  six  cyber  experts  as  well  as  national  or 
NATO  experts  in  other  areas  unique  to  the  specific 
mission  that  can  be  formed  to  respond  within  24  hours 
of  an  incident.40  The  RRT  participates  in  NATO-spon¬ 
sored  exercises  to  hone  the  skills  of  its  members  and 
to  refine  its  procedures.  The  limited  nature  of  the  RRT 
resources  requires  the  team  to  work  with  industry 
as  well  as  with  the  Computer  Emergency  Response 
Teams  (CERTs)  of  affected  nations.41 
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The  NCIRC  also  has  a  staff-run  Coordination  Cen¬ 
ter,  which  coordinates  cyber  defense  activities  within 
NATO  as  well  as  provides  staff  support  to  the  CDMB 
and  liaison  to  external  organizations,  such  as  the  Eu¬ 
ropean  Union  (EU).42  One  area  of  such  collaboration  is 
that  of  CIP,  a  challenge  that  is  not  limited  to  military 
operations  alone.  As  one  cyber  subject  matter  expert 
at  the  NATO  Joint  Warfare  Centre  argues: 

Some  military  professionals  argue  that  protecting  cy¬ 
berspace  where  civilian  infrastructure  operates  is  a 
civil  matter,  however,  if  an  attack  against  infrastruc¬ 
ture  can  affect  the  military  operation,  it  has  to  be  re¬ 
garded  in  the  Operational  Planning  Process.43 

Certainly,  NATO  has  made  great  strides  in  the  area  of 
its  own  CUP44  through  such  accomplishments  as  the 
NCIRC  FOC,  but  how  can  and  should  NATO  cyber 
operations  support  the  more  general  threat  of  CIP? 

In  December  2012,  the  NATO  Emerging  Security 
Challenges  Division  in  Brussels  sponsored  a  confer¬ 
ence  focused  on  NATO's  role  in  CIP.  Findings  of  the 
meeting  included  the  recognition  that  NATO's  role 
might  necessitate  many  response  capabilities  for  CIP 
that  involve  such  activities  as  disaster  relief  and  anti¬ 
terrorism  perhaps  coordinated  with  cyber  defense. 
However,  the  conference  sponsor  noted: 

NATO  cannot  be  the  sole  answer  or  panacea  to  many 
of  the  challenges  of  critical  infrastructure  but  the  Alli¬ 
ance  cannot  afford  to  turn  its  back  on  them  entirely  if 
it  seeks  to  remain  a  relevant  security  organization  in 
the  21st  century.45 
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One  of  the  key  concerns  noted  by  attendees  was  how 
to  define  and  prioritize  the  CIP  assets  among  allies,  as 
well  as  how  to  include  private  business.46  These  issues 
can  be  addressed,  in  part,  through  the  proper  plan¬ 
ning  of  military  operations. 

Traditional  military  planning  requires  inputs  and 
coordination  amongst  staff  elements  at  the  appropri¬ 
ate  headquarters.  For  current  cyberspace  activities  at 
Headquarters  NATO,  coordination  may  involve  staffs 
of  the  J2  (Intelligence),  J3  (Operations),  J5  (Plans  and 
Policy),  J6  (Consultation,  Control  and  Communica¬ 
tions),  and  J 7  (Cooperation  and  Regional  Security 
Division)  and  activities  at  lower-level  headquarters 
will  likely  involve  similar  staff  structures.  One  of  the 
greatest  challenges  for  NATO  is  akin  to  that  faced  by 
U.S.  forces  with  regard  to  which  staff  element  leads 
the  effort  — that  is,  who's  in  charge?  Although  no  stan¬ 
dard  NATO  organization  structure  for  cyber  defense 
planning  has  been  codified,  common  themes  have 
emerged  from  exercises.  One  recommendation  is  to 
follow  the  traditional  goal  "to  establish  cross-func¬ 
tional  staff  entities  to  harness  expertise  for  application 
and  focus  to  cyber  problems."47  It  is  also  prudent  to 
develop  concepts  that  mirror  some  traditional  joint 
task  force  staffs,  such  as  a  Cyber  Defence  Cell  and  Cy¬ 
ber  Defence  Working  Group  as  vehicles  to  facilitate 
coordination.48 

When  actually  engaged  in  operations,  a  Joint  Task 
Force  commander  must  try  to  maintain  the  neces¬ 
sary  operations  tempo  despite  cyber  attacks  aimed  at 
disrupting  this  objective.  Thus,  operational  planning 
should  fully  understand  and  appreciate  the  vulner¬ 
abilities  as  well  as  the  enhancements  that  cyberspace 
capabilities  may  present.  As  noted  in  the  Joint  Warfare 
Centre  Three  Swords  Magazine,  "operationally -minded 
decisions  must  prevail  in  determining  how  best  to 
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avoid,  mitigate  and  prevent  the  consequences  of  cy¬ 
ber  attacks  on  these  vulnerabilities  [that  are  caused  by 
operation's  cyber  dependencies]."49 

In  addition  to  operational  planning,  NATO  must 
incorporate  cyberspace  requirements  into  its  resource 
planning  process.  In  April  2012,  cyber  defense  was 
integrated  into  the  NATO  Defence  Planning  Process 
(NDPP).50  To  get  the  most  from  resource  expendi¬ 
tures,  NATO  has  introduced  an  initiative  —  Smart  De¬ 
fence— to  leverage  the  sharing  of  capabilities  in  a  time 
of  austerity.  Put  simply,  "Smart  Defence  is  a  coopera¬ 
tive  way  of  generating  modern  defence  capabilities 
that  the  Alliance  needs,  in  a  more  cost-efficient,  effec¬ 
tive  and  coherent  manner."51  The  initiative  includes 
projects  for  enhanced  cyber  defense.  In  April  2015,  the 
Portuguese  Ministry  of  Defence  hosted  the  first  Cyber 
Defence  Smart  Defence  Projects'  Conference,  which 
included  presentations  on  the  three  projects  in  work, 
as  well  as  sessions  on  cooperation  with  academia  and 
industry.  The  first  project  is  the  Malware  Information 
Sharing  Platform  (MISP),  an  initiative  led  by  Belgium 
to  "facilitate  information  sharing  of  the  technical  char¬ 
acteristics  of  malware  within  a  trusted  community 
without  having  to  share  details  of  an  attack."52  The 
MISP  capability  was  initially  designed  to  support 
NCIRC  Technical  Centre  work  but  is  now  available  to 
all  member  countries.53 

The  second  project,  Multinational  Cyber  Defence 
Capability  Development  (MN  CD2),  is  an  effort  start¬ 
ed  in  March  2013  and  led  by  the  Netherlands  teamed 
with  Canada,  Denmark,  Norway,  and  Romania.  The 
project  goal  is  to  "cooperate  on  the  development  of: 
improved  means  of  sharing  technical  information; 
shared  awareness  of  threats  and  attacks;  and  advanced 
cyber  defence  sensors"54  MN  CD2  activities  are  man¬ 
aged  in  several  work  packages;  the  four  initial  work 
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packages  are  Technical  Information  Sharing,55  Cyber 
Defence  Situational  Awareness  (CDSA),56  Distributed 
Multi-sensor  Collection  and  Correlation  Infrastruc¬ 
ture  (DMCCI),57  Cyber  Information  and  Incident  Co¬ 
ordination  System  (CIICS)  Enhancements.58  Two  new 
MN  CD2  work  packages  were  approved  in  June  2015: 
CIICS  Support  Work  Package  and  a  Cyber  Security 
Assessment  Team  (CSAT)  capability.59 

The  third  project,  Multinational  Cyber  Defence 
Education  and  Training  (MN  CD  E&T),  helps  to  de¬ 
velop  courses  for  cyber  education  programs,  battle  lab 
support  for  training,  and  cyber  range  support  for  ex¬ 
ercises  to  enhance  professional  development  and  cer¬ 
tification  of  cyber  defense  personnel.  Led  by  Portugal, 
there  are  11  NATO  countries  formally  participating 
with  another  11  countries,  as  well  as  the  EU,  who  are 
interested;  currently,  the  United  States  is  not  among 
the  group.60 

Capabilities  and  lessons  learned  from  these  Smart 
Defence  programs  are  being  applied  to  support  the 
broader  Connected  Forces  Initiative  (CFI)  to  enhance 
interconnectivity  and  interoperability  of  Allied  forces. 
Together,  these  programs  support  the  NATO  Forces 
2020  goal:  “a  coherent  set  of  deployable,  interoperable 
and  sustainable  forces  equipped,  trained,  exercised 
and  commanded  to  operate  together  and  with  part¬ 
ners  in  any  environment."61  Details  of  the  CFI  were 
outlined  in  the  2014  NATO  Wales  Summit  Declaration 
and  they  include  the  large-scale  (25,000  personnel) 
exercise  Trident  Juncture.62  For  this  exercise,  cyber 
defense  experts  from  the  NATO  Joint  Warfare  Centre 
plan  to  practice  skills  and  techniques  that  were  refined 
through  the  STEADFAST  series  of  NATO  exercises.63 
What  doctrine  and  methods  form  the  basis  for  how 
operators  will  perform  in  these  exercises? 
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Doctrine  and  Methods. 


Allied  Command  Transformation  (ATC)  is  one 
of  two  strategic  commands  of  NATO;  together  with 
ACO  they  form  the  NATO  Command  Structure 
(NCS).  While  ACO  focuses  on  current  operations, 
ACT  concentrates  on  transformation  initiatives  for 
NATO  military  structure,  forces,  capabilities,  and 
doctrine.  Headquartered  in  Norfolk,  Virginia,  ACT 
directs  three  major  units:  the  Joint  Warfare  Centre  in 
Stravanger,  Norway;  the  Joint  Force  Training  Centre 
in  Bydgoszcz,  Poland;  and  the  Joint  Analysis  and  Les¬ 
sons  Learned  Centre  in  Monsanto,  Portugal.  Other 
NATO  education  and  training  centers  and  Centres 
of  Excellence  (COE)  coordinate  their  activities  with 
ACT. 64 

The  only  NATO  accredited  COE  dedicated  to  cy¬ 
berspace  activities  is  the  Cooperative  Cyber  Defence 
Centre  of  Excellence  (CCD  COE)  located  in  Tallinn, 
Estonia.  The  CCD  COE  was  established  in  October 
2008  via  a  Memorandum  of  Understanding  amongst 
seven  NATO  countries  (Estonia,  Germany,  Italy,  Lith¬ 
uania,  Latvia,  the  Slovak  Republic,  and  Spain)  with  a 
vision  "to  enhance  cooperative  cyber  defence  capabili¬ 
ties  of  NATO  and  NATO  nations,  thus  improving  the 
Alliance's  interoperability  in  the  field  of  cooperative 
cyber  defence."65  Through  its  myriad  endeavors,  the 
CCD  COE  supports  NATO  education,  training,  exer¬ 
cise,  and  research  programs.  These  efforts  include  an 
annual  conference  on  Cyber  Conflict  first  held  in  2009; 
numerous  cyberspace-related  workshops  and  short 
courses  addressing  issues  from  tactical  technical  pro¬ 
cedures  up  through  national-level  strategic  planning; 
annual  dedicated  cyber  exercises  first  held  in  2010  as 
well  as  support  to  large-scale  NATO  exercises;  and  an 
extensive  on-line  library.66 
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Two  other  NATO-accredited  COEs  sponsor  cyber- 
related  activities  related  to  maritime  operations  and 
defense  against  terrorism.  The  Combined  Joint  Opera¬ 
tions  From  The  Sea  Centre  of  Excellence  (CJOS  COE) 
in  Norfolk,  Virginia,  has  an  ongoing  Maritime  Cyber 
Security  project  to  "lead  the  development  of  a  net¬ 
worked  response  to  maritime  cyber  security  threats 
and  challenges."67  The  center  has  produced  white 
papers  on  the  cyber  defense  aspects  of  maritime  op¬ 
erations  and  port  security  as  well  as  the  related  le¬ 
gal  implications.68  The  Centre  of  Excellence  Defence 
Against  Terrorism  (COE-DAT)  in  Ankara,  Turkey,  has 
developed  and  delivered  various  courses  and  work¬ 
shops  regarding  terrorist  activities  in  cyberspace.69 
The  COE-DAT  sponsored  its  first  cyberspace-related 
course,  "Countering  Cyber  Terrorism,"  in  November 
2006,  which  included  participants  from  18  countries  (9 
NATO  and  9  non-NATO).70  The  center's  most  recent 
courses  include  "Terrorist  Use  of  Cyberspace"  in  May 
201471  and  "Critical  Infrastructure  Protection  against 
Terrorist  Attacks"  in  November  2014;72  both  courses 
explored  a  diverse  variety  of  cyberspace-related  top¬ 
ics  on  the  physical  and  virtual  environments. 

The  state  of  doctrine  development  for  cyberspace 
operations  is  still  in  the  formative  stages.  A  search 
through  publicly  available  NATO  Allied  Joint  Doc¬ 
trine  documents  reveals  an  incomplete  incorporation 
of  cyberspace  activities.  The  capstone  document  for 
Allied  Joint  doctrine,  AJP-01  (December  2010),  recog¬ 
nizes  "cyber-operations"  as  an  extension  of  traditional 
NATO  security  challenges;  highlights  the  increase  in 
reliance  of  Alliance  operations  on  information  sys¬ 
tems  and  the  resulting  vulnerability  to  cyber  attacks; 
and  depicts  cyber  operations  as  a  subset  of  defensive 
information  operations.73  Even  though  it  was  pub¬ 
lished  4  months  after  the  current  AJP-01,  the  capstone 
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document  for  communication  and  information  sys¬ 
tems  doctrine,  AJP-6  (April  2011),  contains  no  explicit 
mention  of  "cyber"  or  "cyberspace."  Instead,  AJP-6 
focuses  on  security  aspects  of  communication  and 
information  systems  in  the  guise  of  "Information  As¬ 
surance"  designed  to  "to  ensure  the  systems  and  net¬ 
works  employed  to  manage  the  critical  information 
used  by  an  organization  are  reliable  and  secure,  and 
processes  are  in  place  to  detect  and  counter  malicious 
activity."74  The  capstone  document  for  operational 
planning,  AJP-5  (June  2013),  includes  cyberspace  as  a 
functional  area  for  planning  on  par  with  maritime,  air, 
space,  and  land.  AJP-5  also  places  "defensive  cyber 
operations"  amongst  the  means  to  help  achieve  coher¬ 
ence  and  synergy  in  the  planning  for  joint  targeting 
and  the  employment  of  joint  fires.75 

For  operational  doctrine,  the  relevant  capstone 
document,  AJP-3  (March  2011),  has  an  inconsistent 
incorporation  of  cyberspace.  The  publication  initially 
depicts  cyberspace  as  a  subset  of  the  information  en¬ 
vironment,  but  later  puts  it  on  par  with  other  joint 
capabilities  in  the  statement: 

A  joint  operation  endeavours  to  synchronize  the  em¬ 
ployment  and  integration  of  the  capabilities  provided 
by  land,  maritime,  air,  space,  cyber  space,  special  op¬ 
erations  and  other  functional  forces.76 

AJP-3  maintains  the  perspective  of  cyberspace  as 
its  own  domain  when  describing  the  elements  of  a 
Joint  Force  Commander's  establishing  directive,77  but 
then  places  it  back  under  the  information  environment 
in  the  description  of  The  Operational  Environment.78 

Currently,  there  is  no  dedicated  NATO  doctrine  for 
cyberspace  operations  akin  to  the  U.S.  Joint  Publication 
3-12(R),  Cyber  Operations  (October  2014);  most  of  the 
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details  of  such  activities  are  captured  in  AJP-3.10,  Al¬ 
lied  Joint  Doctrine  for  Information  Operations(November 
2009).  AJP-3.10  uses  the  nomenclature  of  computer 
network  operations  (CNO)  and  computer  network  de¬ 
fense  (CND)  that  was  used  in  U.S.  joint  doctrine  prior 
to  the  release  of  JP  3-12(R).79  In  efforts  to  improve  this 
situation,  the  NATO  Joint  Warfare  Centre  notes  there 
is  ongoing  work  "to  develop  a  JTF  HQ  SOP  [standard 
operating  procedure]  218  for  Cyber  Defence,  which 
will  likely  serve  to  identify  pre-doctrinal  processes 
and  standard  working  methods  before  doctrine  is  in 
place."80  Also,  the  cyberspace  doctrine  is  evolving 
through  lessons  learned  from  various  NATO  exer¬ 
cises,  as  illustrated  by  the  development  of  key  plan¬ 
ning  products  such  as  a  Cyber  Prioritized  Asset  List 
(CPAL),  Cyber  Risk  Assessment  Matrix  (CRAM),  and 
Warning  Advice  and  Reporting  Points  (WARP).81 

The  continued  development  of  cyberspace  future 
doctrine  should  consider  not  only  military  capabili¬ 
ties,  but  also  those  of  industry  as  well  considering  that 
the  NCI  Agency  website  states  "80%  of  our  [the  NCI 
Agency]  work  is  done  through  contracts  with  national 
Industries."82  To  facilitate  enhanced  relationships  with 
commercial  cyberspace  ventures,  the  NATO  Industry 
Cyber  Partnership  (NICP)  was  launched  on  Septem¬ 
ber  17,  2014  at  a  2-day  conference  in  Mons,  Belgium, 
with  1,500  industry  leaders  and  NATO  policy  mak¬ 
ers.83  The  key  principle  of  the  NICP  initiative  is  that 
the  NCI  Agency  "will  cooperate  with  the  private  sec¬ 
tor  for  the  primary  purpose  of  reinforcing  the  protec¬ 
tion  of  NATO's  own  networks."84  The  NICP  builds 
upon  existing  cooperative  efforts,  such  as  guidelines 
for  information  sharing  at  the  technical  level  to  en¬ 
hance  cyber  security.85  Recent  NICP  accomplish¬ 
ments  include  the  successful  conclusion  of  the  Cyber 
Security  Incubator  Pilot  Project  in  which: 
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NATO,  industry,  and  academic  participants  worked 
together  on  defining  challenges  and  investigating  in¬ 
novative  solutions  in  the  areas  of  big  data  and  data  fu¬ 
sion,  cyber  defence  situational  awareness,  and  mobile 
security.86 

Another  recent  NICP  partnership  is  one  between 
the  NCI  Agency  and  Microsoft  as  part  of  the  compa¬ 
ny's  Government  Security  Program  (GSP)  to  "evalu¬ 
ate  and  protect  existing  systems  and  maintain  more 
secure  infrastructure."87 

The  Multinational  Capability  Development  Cam¬ 
paign  (MCDC)  effort  for  2013-2014  is  a  recent  venture 
involving  many  NATO  countries  designed  to  develop 
and  refine  fundamental  processes  to  integrate  cyber¬ 
space  operations  into  operational  doctrine.  As  the 
seventh  iteration  in  a  Multinational  Experimentation 
series  that  started  in  2001,  the  theme  for  MCDC  2013- 
2014  was  Combined  Operational  Access.88  Participants 
from  19  countries  focused  "on  the  versatile,  agile  ca¬ 
pabilities  required  to  project  combined  forces  into 
an  operational  area  with  sufficient  freedom  of  action 
to  accomplish  the  mission."89  The  project  is  divided 
across  seven  Focus  Areas,  which  included  Cyber  Im¬ 
plications  for  Combined  Operational  Access  (CICOA). 
This  is  an  effort  of  14  contributing  countries  led  by  It¬ 
aly  and  Norway  to  "develop  procedural  and  technical 
solutions  to  facilitate  the  integration  of  cyber  into  the 
operational  planning  process."90  Tasks  were  separated 
into  two  workstrands:  one  led  by  Norway  to  explore 
"Operational  Planning  and  the  Cyber  Domain"  and 
the  other  led  by  Italy  to  study  "Cyber  Capabilities 
and  Data  Analysis."  Anticipated  deliverables  under 
review  include  guidelines  and  a  handbook  to  sup¬ 
port  joint  operational  planning  processes,  to  include 
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the  A  CO  Comprehensive  Operations  Planning  Direc¬ 
tive  (COPD).  CICOA  products  also  include  guidelines 
and  taxonomy  for  data  analyses  that  support  cyber 
situational  awareness  and  threat  assessment  as  part 
of  the  intelligence  process.91  The  current  program  of 
work  for  MCDC  2015-2016  includes  a  focus  area  on 
Multinational  Defensive  Cyber  Operations  (MDCO) 
led  by  the  United  States  to  build  upon  previous  work 
and  "to  develop  a  quicker  way  to  effectively  integrate 
multinational  forces  to  conduct  defensive  cyber  op¬ 
erations"  for  the  Multinational  Force  Commander.92 
What  are  some  practical  means,  short  of  actual  crisis, 
where  doctrine  and  processes  such  as  that  produced 
by  the  MCDC/ CICOA  undertaking  can  be  learned, 
applied,  and  perfected? 

Education,  Training  and  Exercises. 

Cyberspace-related  education  and  training  occurs 
at  multiple  levels  throughout  NATO.  The  NATO  De¬ 
fense  College  in  Rome,  Italy,  addresses  cyber  defense 
issues  at  the  strategic  level,  focusing  on  their  broader 
geopolitical  implications.  In  December  2013,  the  Col¬ 
lege  hosted  a  forum  on  "NATO  and  the  Future  of  Cy¬ 
ber  Security"  designed  to  promote  a  dialogue  within 
NATO  and  the  international  security  community.93 
The  College's  Research  Division  also  publishes  papers 
on  cyberspace  topics,  such  as  lessons  learned  from  the 
2007  Estonia  attack,  future  threats,  and  doctrine  de¬ 
velopment.94  The  NATO  School  in  Oberammergau, 
Germany,  currently  provides  six  resident  courses  re¬ 
lated  to  cyber  and  information  operations  at  the  op¬ 
erational  level  to  support  NATO  staff  officers  and  net¬ 
work  security  personnel.95  The  NATO  Joint  Warfare 
Centre  provides  training  for  joint  and  operational- 
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level  headquarters  to  include  awareness  and  appre¬ 
ciation  for  the  implications  of  cyberspace  activities  in 
NATO  operations.96  The  NATO  Communications  and 
Information  Systems  School  (NCISS),  which  became 
part  of  the  NCI  Agency  in  July  2012,  provides  five 
cyber-related  resident  courses  for  CIS  operators  and 
staff  personnel.  It  also  provides  support  to  deployed 
operations  and  subject  matter  expertise  for  exercises, 
conferences,  and  workshops.97  The  skills  achieved  by 
personnel  through  education  and  training  can  be  test¬ 
ed  at  the  Cyber  Range  operated  by  Estonian  Defence 
Forces  and  adopted  for  NATO  use  in  June  2014.98  The 
Cyber  Range  capability  provides  an  excellent  founda¬ 
tion  for  NATO  cyberspace-related  exercises. 

NATO  approaches  cyberspace-related  exercises 
in  two  broad  categories  —  those  specific  to  cyber  op¬ 
erations  and  those  integrated  into  existing  exercises.99 
The  largest  NATO  cyber  defense  exercise  is  the  “Cy¬ 
ber  Coalition"  series  that  has  been  conducted  annual¬ 
ly  since  2008.  Cyber  Coalition  2014  involved  "over  600 
technical,  government,  and  cyber  experts  operating 
from  dozens  of  locations  from  across  the  Alliance  and 
partner  nations"  as  well  as  observers  from  academia 
and  industry.  The  exercise  also  served  as  a  testbed 
for  the  CIICS  product  from  the  Smart  Defence  initia¬ 
tive.100  Cyber  Coalition  2014  also  "provided  a  stage  for 
exercising  strategic-  and  operational-level  informa¬ 
tion  sharing,  senior-level  decision  making,  and  multi- 
disciplined  coordination  in  the  cyber  realm"  amongst 
26  Allied  and  five  partner  nations  participating.101 
The  exercise  control  staff  was  hosted  by  the  Estonian 
National  Defence  College  in  Tartu,  Estonia  and  uti¬ 
lized  the  newly  adopted  NATO  Cyber  Range  there.102 
Tartu  also  hosted  Cyber  Coalition  2013. 103  It  is  interest¬ 
ing  to  note  that  Cyber  Coalition  2012  was  run  concur- 
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rently  with  the  annual  NATO  Crisis  Management  Ex¬ 
ercise  (CMX),  an  internal  command  post  exercise  that 
does  not  involve  deployed  forces.104 

In  addition  to  the  Cyber  Coalition  exercises,  the 
CCD  COE  in  Tallinn,  Estonia,  has  sponsored  the  dedi¬ 
cated  annual  cyber  exercise,  Locked  Shields,  since 
2010  (initially  called  Baltic  Cyber  Shield).  Having 
grown  significantly  over  the  years,  Locked  Shields 
2015  involved  400  participants  from  16  nations,  and 
was  sponsored  by  a  grant  from  the  government  of 
Canada.105  The  scenario  included  cyber  attacks  on  the 
fictitious  country  of  Beriya,  possibly  by  the  rival  na¬ 
tion  of  Crimsonia.  It  was,  perhaps,  a  shrewd  homage 
to  the  2007  cyber  attacks  on  Estonia  typically  attrib¬ 
uted  to  Russia,  but  never  proven  conclusively.106  From 
its  outset,  the  Locked  Shields  exercises  have  involved 
scenarios  that  include  attacks  on  critical  infrastructure. 
The  CCD  COE  keeps  after  action  reports  from  the  ex¬ 
ercises  in  its  publicly  accessible  website  library.107 

Bolstered  in  part  by  the  new  strategic  direction  for 
NATO  following  the  2010  Lisbon  Summit,  the  NATO 
Joint  Warfare  Centre  integrated  cyber  defense  ac¬ 
tivities  into  their  Steadfast  Juncture  2011  exercise  as 
part  of  the  initial  effort  to  develop  "across  NATO's 
battlestaffs  a  comprehensive  understanding  of  the 
far  reaching  impacts  of  cyber  attack."108  To  mirror  the 
complexity  of  real  world  cyberspace  vulnerabilities, 
the  exercise  designers  injected  cyber  attacks  into  three 
target  categories:  NATO  command  and  control  (e.g., 
computer  networks);  NATO  operations  (e.g.,  airports, 
seaports,  petroleum,  electricity);  and  NATO  mission 
stability  (e.g.,  energy,  medical,  financial,  transporta¬ 
tion,  communication).109  Two  years  later,  life  imitated 
the  scenario  as  Steadfast  Jazz  2013  participants  ex¬ 
perienced  real-world  cyber  attacks  during  exercise 
activities.110 
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Cyber  defense  activities  were  also  integrated  into 
the  2014  Coalition  Warrior  Interoperability  explora¬ 
tion,  experimentation,  examination  eXercise  (CWIX) 
held  at  the  Joint  Forces  Training  Centre  in  Bydgoszcz, 
Poland  "to  solve  existing  interoperability  issues  and 
explore  and  share  potential  solutions  in  anticipation 
of  future  operations  and  budget  constraints."111  The 
cumulative  lessons  learned  from  cyber  experience 
in  NATO  exercises  were  used  to  inform  the  recent 
Trident  Juncture  2015  exercise  (TRJE15),  the  largest 
NATO  exercise  since  2002.  The  exercise  was  planned 
to  be  conducted  from  October  3  to  November  6,  2015 
in  Italy,  Portugal,  and  Spain.112  As  discussed  earlier, 
TRJE15  tested  many  of  the  concepts  in  the  NATO 
Smart  Defence  and  Connected  Forces  Initiative  to  cer¬ 
tify  Joint  Force  Command  Brunssum  for  command  of 
the  NATO  Response  Force.113  Cyber  experts  from  the 
NATO  Joint  Warfare  Centre  published  a  series  of  sev¬ 
en  recommendations  specifically  aimed  at  applying 
cyber  defense  transformation  measures  gleaned  from 
the  last  four  STEADFAST  exercises  to  TRJE15.114  These 
exercises  test  operational  concepts  and  processes  that 
may  be  applied  in  contemporary  situations  within  the 
Alliance.  What  are  the  key  issues  related  to  the  cur¬ 
rent  NATO  cyber  policy  that  require  the  thoughtful 
consideration  of  senior  leaders? 

KEY  ISSUES  FOR  CURRENT  POLICY 

The  2010  NATO  Strategic  Concept  represents  a 
renaissance  of  NATO  core  tasks.  The  new  Enhanced 
Cyber  Defence  Policy  affirms  the  role  that  NATO  cy¬ 
ber  defense  contributes  to  the  mission  of  collective 
defense  and  embraces  the  notion  that  a  cyber  attack 
may  lead  to  the  invocation  of  Article  5  actions  for  the 
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Alliance.  Against  this  backdrop,  this  section  examines 
the  related  issues  of  offensive  cyberspace,  deterrence 
in  and  through  cyberspace,  legal  considerations,  and 
cooperation  with  the  EU. 

Offensive  Cyberspace. 

A  significant  "elephant  in  the  room"  issue  for 
NATO  cyberspace  operations  is  the  possibility  of  any 
use  of  offensive  cyber  by  the  Alliance.  Cyber  expert 
James  Lewis  poses  this  challenge  as:  "The  central  ques¬ 
tion  for  NATO's  cyber  doctrine  is  how  the  lack  of  an 
articulated  offensive  cyber  capability  affects  its  abil¬ 
ity  to  deter  or  defend."115  In  general,  offensive  cyber¬ 
space  operations  may  be  considered  as  the  use  of  cy¬ 
ber  capabilities  outside  of  the  defensive  firewall  of  the 
NATO  network.  Such  operations  could  be  conducted 
in  support  of  tactical  activities  by  forces  in  the  physi¬ 
cal  domains  (e.g.,  land,  sea,  or  air)  or  the  operations 
may  be  used  as  long-range  strategic  weapons  directed 
at  the  military  and  infrastructure  of  another  nation. 
The  implications  of  the  purposeful  use  of  devastating 
cyber  methods  against  a  foreign  homeland  bring  up 
allusions  to  the  use  of  nuclear  weapons.  In  fact,  Lewis 
asserts  that  there  is  a  "cyber  club"  with  NATO  — the 
United  States,  the  United  Kingdom,  and  Trance  — that 
possess  not  only  nuclear  weapons,  but  also  an  active 
offensive  cyberspace  capability.116  Indeed,  the  United 
States  has  officially  incorporated  offensive  cyberspace 
operations  (OCO)  in  its  publicly  available  joint  doc¬ 
trine  in  general  terms,  but  details  of  any  OCO  imple¬ 
mentation  remain  classified.117 

In  practical  terms,  NATO  may  already  be  enter¬ 
ing  the  gray  zone  of  developing  active  cyber  defense 
capabilities  that  go  beyond  the  firewall  to  neutralize 
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specific  Internet  nodes  that  are  conducting  attacks, 
such  as  those  that  facilitated  distributed  denial  of  ser¬ 
vice  actions  experienced  by  Estonia  in  2007.  As  one 
NATO  cyber  officer  noted,  "NATO  has  established 
a  capable  defence  for  most  cyber  threats,  but  that  is 
just  the  first  step  and  what  needs  to  quickly  follow  is 
the  development  of  'active  defence'  capabilities."118  In 
implementing  such  measures,  decision-makers  must 
recognize  that  whether  acts  of  active  cyber  defense  are 
considered  offensive  is  not  up  to  the  sender,  rather  the 
receiver,  because  well-justified  defensive  acts  may  be 
misinterpreted  as  aggression.119  However,  if  NATO 
operations  do  evolve  to  embrace  active  cyber  defense, 
and  then  go  further  to  adopt  OCO  in  a  manner  similar 
to  that  of  nuclear  weapons,  the  issue  of  political  con¬ 
trol  of  OCO  release  and  use  must  be  resolved  first.120 
Healey  and  Jordan  assert  that  the  focus  should  remain 
on  offensive  coordination,  not  capability,  and  suggest 
that  NATO  should  create  a  group  "with  voluntary  opt- 
in  for  states,  modeled  after  NATO's  existing  Nuclear 
Planning  Group,  to  discuss  and  map  out  an  offensive 
cyber  policy."121 

Deterrence  In  and  Through  Cyberspace. 

Closely  related  to  the  concept  of  OCO  is  what  part 
such  a  capability  might  play  in  the  overall  notion  of 
deterrence.  Certainly,  the  NATO  goal  of  achieving 
deterrence  with  the  Warsaw  Pact  through  various 
configurations  of  nuclear  force  planning  has  domi¬ 
nated  much  of  both  alliances'  early  histories.  In  an 
award-winning  essay  published  in  Joint  Force  Quar¬ 
terly,  Clorinda  Trujillo  surveyed  existing  scholarly 
publications  and  compiled  a  proposed  list  of  seven 
cyberspace  deterrent  options,  most  of  which  do  not 
require  OCO.  Trujillo  also  noted  the  particular  bar- 
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riers  associated  with  any  practice  application  of  cyber 
deterrence,  such  as  the  challenge  of  attribution  as  well 
as  the  risk  of  unintentional  outcomes  where  the  use  of 
a  cyber  capability  may  itself  result  in  further  vulner¬ 
ability.122 

Deterrence  theory  usually  includes  the  possibility 
of  an  escalation  of  conflict  and  force  between  parties. 
Traditional  nuclear  deterrence  frameworks  such  as  the 
Kahn  escalation  ladder  have  been  applied  conceptu¬ 
ally  to  circumstances  that  address  not  only  cyber,  but 
also  conventional  and  nuclear  forces  in  the  possible 
scenarios.123  Potential  misunderstanding  of  intentions 
and  actions  coupled  with  imperfect  situational  aware¬ 
ness  and  lack  of  common  language  may  facilitate  es¬ 
calation.  In  a  NATO  Defense  College  research  paper, 
Christine  Hegenbart  argues  for  the  development  of 
precise  and  actionable  linguistics  to  facilitate  under¬ 
standing  of  a  cyber  conflict  escalation  ladder  that  may 
span  a  spectrum  from  hacktivism/ cyber  vandalism  all 
the  way  up  to  cyber  war.124 

Deterrence  at  an  international  level  is  most  effec¬ 
tive  when  it  utilizes  all  instruments  of  power  avail¬ 
able  to  a  country —  diplomatic,  information,  military, 
and  economic.  The  United  States  may  be  the  only 
country  with  a  publicly  available  declaratory  deter¬ 
rence  statement  as  part  of  its  International  Strategy  for 
Cyberspace,  as  stated  below: 

When  warranted,  the  United  States  will  respond  to 
hostile  acts  in  cyberspace  as  we  would  to  any  other 
threat  to  our  country.  All  states  possess  an  inherent 
right  to  self-defense,  and  we  recognize  that  certain 
hostile  acts  conducted  through  cyberspace  could  com¬ 
pel  actions  under  the  commitments  we  have  with  our 
military  treaty  partners.  We  reserve  the  right  to  use 
all  necessary  means  —  diplomatic,  informational,  mili- 


28 


tary,  and  economic  — as  appropriate  and  consistent 
with  applicable  international  law,  in  order  to  defend 
our  Nation,  our  allies,  our  partners,  and  our  interests. 

In  so  doing,  we  will  exhaust  all  options  before  military 
force  whenever  we  can;  will  carefully  weigh  the  costs 
and  risks  of  action  against  the  costs  of  inaction;  and 
will  act  in  a  way  that  reflects  our  values  and  strength¬ 
ens  our  legitimacy,  seeking  broad  international  sup¬ 
port  whenever  possible.125 

Since  the  U.S.  statement  explicitly  includes  the 
protection  of  allies,  this  implies  inclusion  of  NATO 
under  the  U.S.  cyber  deterrence  umbrella.  Even  with 
this  theoretical  protection,  policy  makers  need  to  con¬ 
sider  how  to  deal  with  nonstate  actors  that  are  heav¬ 
ily  vested  in  the  virtual  realm  (e.g.,  Anonymous  and 
LulzSec).  Such  groups  may  be  impossible  to  deter 
since  they  have  "a  different  risk  tolerance  than  those 
acting  in  a  physical  domain  due  to  their  perceived 
anonymity,  invulnerability,  and  global  flexibility."126 

Legal  Considerations. 

A  continuing  issue  writ  large  within  both  NATO 
and  the  global  community  involves  how  existing  in¬ 
ternational  law  applies  to  activities  in  cyberspace. 
From  a  security  perspective,  significant  progress  was 
made  with  the  publication  of  the  Tallinn  Manual  on  the 
International  Law  Applicable  to  Cyber  Warfare  in  2013, 
the  culmination  of  a  3-year  collaborative  effort  spon¬ 
sored  by  the  CCD  COE.127  The  Tallinn  Manual  was 
preceded  by  the  publication  of  International  Cyber  Inci¬ 
dents:  Legal  Considerations,  an  earlier  study  by  the  CCD 
COE  that  includes  case  studies  on  four  high-visibility 
cyber  attacks:  Estonia  2007;  Radio  Free  Europe/ Ra¬ 
dio  Liberty  2008;  Lithuania  2008;  and  Georgia  2008. 128 
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The  analytical  framework  within  the  Tallinn  Manual 
is  based  largely  on  the  work  of  Michael  Schmitt,  but 
it  represents  only  one  such  model  for  evaluating  the 
severity  level  of  cyber  conflict.129  Perhaps  not  surpris¬ 
ingly,  some  non-NATO  nations  —  Russia  and  China 
in  particular  —  do  not  fully  agree  with  the  principles 
espoused  within  the  Tallinn  Manual.  This  is  a  signifi¬ 
cant  challenge  considering  these  countries  are  two  of 
the  five  permanent  members  of  the  United  Nations 
Security  Council.130 

Recognizing  that  the  Tallinn  Manual  focuses  on 
cyber  warfare  amongst  state  actors  at  levels  that  com¬ 
prise  "armed  attacks,"  a  CCD  COE  team  is  now  work¬ 
ing  on  how  international  law  applies  to  less  severe 
malevolent  activity  in  cyberspace.  The  effort  known  as 
"Tallinn  2.0"  looks  at  aggression  below  this  threshold, 
and  publication  of  an  updated  Tallinn  Manual  is  an¬ 
ticipated  in  2016. 131  In  addition,  the  CCD  COE  contin¬ 
ues  to  sponsor  courses  and  workshops  that  facilitate 
better  understanding  of  legal  issues  related  to  cyber 
conflict.132 

NATO  initiatives  with  the  private  sector,  such  as 
NICP,  present  significant  legal  issues  regarding  the 
status  of  the  private  contractors'  civilian  employees 
who  support  NATO  operations.  The  implications 
regarding  their  vulnerability  to  legitimate  attack  as 
well  as  liability  for  due  diligence  remains  under  legal 
evaluation.133 

Cooperation  with  the  European  Union. 

The  2010  Lisbon  Summit  Declaration  included  a 
call  for  NATO  to  work  more  closely  with  the  EU  in 
the  area  of  cyber  defense.134  Indeed,  of  the  28  NATO 
countries,  all  but  Albania,  Canada,  Iceland,  Norway, 
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Turkey,  and  the  United  States  are  members  of  the  EU. 
These  countries  share  common  interests  in  security 
programs  conducted  by  both  organizations  as  well  as 
the  desire  not  to  have  unnecessary  duplication  of  re¬ 
source  contributions.  Regarding  cyber  security,  both 
groups  have  similar  goals,  but  different  approaches, 
as  summed  up  by  Piret  Pernik  of  the  International 
Centre  for  Defence  Studies  in  Estonia: 

For  both  NATO  and  the  EU,  cyber  security  is  a  stra¬ 
tegic  issue  that  impacts  the  security  and  defence  of 
member  states  and  of  the  organisations  themselves. 
They  both  prioritize  the  resilience  and  defence  of  their 
own  networks,  organisations  and  missions,  leaving 
cyber  security  of  individual  members  states  a  national 
responsibility.  The  missions  of  the  two  organisations 
are  complementary,  with  NATO  focusing  on  security 
and  defence  aspects  of  cyber  security,  and  the  EU  deal¬ 
ing  with  a  broader,  mainly  non-military  range  of  cyber 
issues  (Internet  freedom  and  governance,  online  rights 
and  data  protection),  and  internal  security  aspects.135 

Previous  NATO-sponsored  studies  have  recom¬ 
mended  improved  cooperation  between  NATO  and 
the  EU  in  such  areas  as  critical  infrastructure  protec¬ 
tion.136  However,  unlike  NATO,  the  EU  does  not  pro¬ 
vide  direct  technical  support.  Rather,  it  facilitates  in¬ 
formation  sharing  through  such  organizations  as  the 
European  Network  and  Information  Security  Agency 
(ENISA)  and  the  European  Defence  Agency  (EDA).137 
Other  significant  differences  between  the  two  groups 
is  that  the  EU  does  not  own  its  command  and  control 
information  systems  and  it  lacks  the  central  author¬ 
ity  for  common  cyber  security,  such  as  that  found  in 
the  NAC.138 
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In  November  2014,  the  Council  of  the  EU  adopted 
the  EU  Cyber  Defence  Policy  Framework  to  identify 
priorities  as  well  as  roles  and  responsibilities  related 
to  the  EU  Common  Security  and  Defence  Policy.139 
Section  five  of  the  framework,  "Enhancing  coopera¬ 
tion  with  relevant  international  partners,"  includes 
a  description  of  methods  to  improve  EU  and  NATO 
collaboration  in  cyberspace: 

There  is  a  political  will  in  the  EU  to  cooperate  further 
with  NATO  on  cyber  defence  in  developing  robust 
and  resilient  cyber  defence  capabilities  as  required 
within  this  Policy  Framework.  Regular  staff-to-staff 
consultations,  cross-briefings,  as  well  as  possible  meet¬ 
ings  between  the  Politico-Military  Group  and  relevant 
NATO  committees,  shall  help  to  avoid  unnecessary 
duplication  and  ensure  coherence  and  complementar¬ 
ity  of  efforts,  in  line  with  the  existing  framework  of 
cooperation  with  NATO.140 

SUMMARY  OF  FINDINGS 

This  section  summarizes  the  key  findings  from 
the  discussion  of  NATO  cyberspace  capabilities  and 
briefly  examines  how  they  apply  to  U.S.  Department 
of  Defense  (DoD)  and  U.S.  Army  cyberspace  activities 
in  Europe. 

2.  The  NATO  institutional  embrace  of  cyberspace  activ¬ 
ities  is  similar  to  other  forms  of  evolution  that  the  Alliance 
has  undergone  since  its  formation. 

Aspects  of  the  evolution  of  U.S.  military  cyberspace 
goals  parallel  similar  developments  in  NATO.  U.S. 
Cyber  Command  reached  its  full  operational  capabil¬ 
ity  and  U.S.  Army  Cyber  Command  was  established 
during  the  month  before  the  Lisbon  Summit's  call 
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for  an  in-depth  update  of  NATO  cyber  policy.141  This 
policy  was  approved  by  NATO  Defence  Ministers  in 
June  2011,  just  a  month  before  the  release  of  the  DoD 
Strategy  for  Operating  in  Cyberspace !42  Most  recently, 
the  endorsement  of  an  enhanced  NATO  cyber  policy 
at  the  September  2014  Wales  Summit  was  followed  by 
an  updated  DoD  cyber  strategy  in  April  2015. 143 

U.S.  European  Command  (USEUCOM)  has  also 
evolved  to  adopt  cyber  operations  into  its  J6  staff  ele¬ 
ment,  officially  named  the  Command,  Control,  Com¬ 
munications  and  Computer  (C4)  /  Cyber  directorate. 
Among  its  current  priorities  is  "Operationalizing  the 
Joint  Cyber  Center  capabilities  (synchronization  and 
integration)."  In  his  February  2015  testimony  to  Con¬ 
gress,  the  USEUCOM  Commander,  General  Philip 
Breedlove,  noted  two  significant  milestones  for  his 
theater's  cyberspace  capabilities: 

EUCOM's  first  Cyber  Combat  Mission  Team  (CMT) 
and  Cyber  Protection  Team  (CPT)  reached  Initial  Op¬ 
erational  Capability  (IOC)  this  past  year  providing  us 
with  new  capabilities  to  protect  our  people,  systems, 
information,  and  infrastructure  while  holding  adver¬ 
saries  at  risk.  As  these  teams  continue  to  improve, 
EUCOM  will  have  an  enhanced  ability  to  plan  and 
conduct  Cyberspace  Operations  to  enhance  our  situ¬ 
ational  awareness  and  protect  our  cyber  flank.144 

U.S.  Army  Europe  (USAREUR)  continues  to  sup¬ 
port  the  changing  requirements  for  not  only  USEU¬ 
COM,  but  U.S.  Africa  Command  as  well.  In  July  2014, 
the  5th  Signal  Command  opened  the  Gray  Center 
Cyber  Operations  Center  in  Wiesbaden,  Germany. 
The  center  is  designed  "to  consolidate  tactical,  the¬ 
ater  and  strategic  communications"  for  combatant 
commanders  and  Army  forces  and  it  has  a  long-term 
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goal  "to  take  over  cyberwatch  responsibility  from  the 
Stuttgart-based  European  Command."145  Toward  this 
goal,  the  center  includes  a  Theater  Cyber  Operations 
Integration  Center. 

2.  Despite  a  call  at  the  2010  Lisbon  Summit  to  incorpo¬ 
rate  the  cyber  dimension  into  NATO  doctrine,  the  process 
has  been  slow  and  inconsistent.  The  relationship  between 
cyberspace  and  information  operations  in  doctrine  is  un¬ 
clear.  The  focus  of  NATO  cyberspace  in  doctrine  (formal 
and  de  facto)  is  defensive  and  supportive  in  nature;  this 
appears  to  be  by  design  since  NATO  has  yet  to  adopt  or 
coordinate  any  position  on  the  use  of  any  offensive  cyber 
activity. 

General  Breedlove's  February  2015  testimony 
to  Congress  discussed  cyberspace  operations  and 
information  operations  as  distinct  capabilities  that 
complement  each  other.146  The  United  States  should 
encourage  NATO  doctrinal  development  to  follow  the 
current  DoD  model  that  distinguishes  cyberspace  op¬ 
erations  from  information  operations  in  separate  joint 
publications  (JP  3-12  and  JP  3-13,  respectively). 

At  the  Service  level,  the  Army  is  working  to  imple¬ 
ment  the  joint  doctrine  structure  through  updates  in 
field  manuals  and  related  training.  In  September  2015, 
the  Army  Cyber  COE  formalized  this  as  an  initiative 
in  its  Strategic  Plan:  "Establish  Foundational  Doctrine 
for  Army  Cyberspace  Operations  That  Is  Consistent 
With  Joint  Doctrinal  Tenets."  This  initiative  includes 
the  development  of  Field  Manual  (FM)  3-12,  "Cyber¬ 
space  Operations,"  that  will  supersede  FM  3-38,  "Cy¬ 
ber  Electromagnetic  Activities."147  During  this  transi¬ 
tion  period,  the  Army  should  continue  to  work  with 
NATO  nations  to  share  expertise  on  the  evolving  role 
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of  cyberspace  activities.  A  good  example  of  such  co¬ 
operation  is  represented  by  the  certificate  of  partner¬ 
ship  signed  in  March  2015  by  Major  General  Stephen, 
Commanding  General  of  the  Army  Cyber  COE,  and 
Major  General  Heinrich-Wilhelm  Steiner,  Command¬ 
er  of  the  German  Bundeswehr  Communication  and 
Information  Systems  Command.148 

3.  The  role  of  cyberspace  activities  in  NATO  deterrence 
operations  is  not  yet  defined  in  any  public  forum. 

As  noted,  NATO  cyberspace  forces  do  not  have 
offensive  capabilities  by  design.  Thus,  some  theorists 
may  argue  that  cyberspace  operations  cannot  con¬ 
tribute  to  NATO  deterrence.  A  recent  Defense  Sci¬ 
ence  Board  Task  Force  conducted  a  detailed  study 
"to  review  and  make  recommendations  to  improve 
the  resilience  of  DoD  systems  to  cyber  attacks,"  and 
the  group's  final  report  offers  several  insights  that 
should  be  considered  by  NATO  political  and  military 
leaders.149  The  Task  Force  report's  first  recommenda¬ 
tion  is  to  "Protect  the  Nuclear  Strike  as  a  Deterrent 
(for  existing  nuclear  armed  states  and  existential  cy¬ 
ber  attack),"  which  would  be  applicable  to  a  limited 
number  of  state  actors  that  may  pose  a  credible  and 
attributable  high-tier  threat.150  If  adopted  by  NATO, 
the  schema  could  leverage  the  existing  NATO  nuclear 
force  structure  to  provide  deterrence  against  existen¬ 
tial-level  cyber  attacks. 

Perhaps  a  more  tempered  and  balanced  approach 
is  offered  by  the  same  report's  second  recommenda¬ 
tion:  "Determine  the  Mix  of  Cyber,  Protected-Con- 
ventional,  and  Nuclear  Capabilities  Necessary  for 
Assured  Operation  in  the  Face  of  a  Full-Spectrum 
Adversary."151  In  contrast  to  the  focus  of  the  first  rec- 
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ommendation  on  the  extreme  end  of  the  attack  spec¬ 
trum,  the  report  asserts,  "this  strategy  [of  the  second 
recommendation]  builds  a  real  ladder  of  capabilities 
and  alleviates  the  need  to  protect  all  of  our  systems 
to  the  highest  level  requirements."152  As  U.S.  political 
and  military  leadership  wrestles  with  the  methods 
best  suited  to  achieving  deterrence  using  all  forms  of 
national  power  —  including  cyberspace  capabilities  — 
they  should  continue  to  factor  in  the  deterrence  pro¬ 
vided  indirectly  to  NATO. 

4.  Cyberspace  presents  the  Alliance  with  complex  and 
interconnected  challenges  such  as  critical  infrastructure 
protection  at  the  NATO  and  national  level.  Many  nations 
face  further  challenges  in  coordinating  and  integrating 
their  own  internal  whole-of- government  approaches. 

Certainly,  the  United  States  is  among  those  nations 
striving  to  develop  and  maintain  a  national  cyberspace 
defense  that  is  coordinated  across  federal,  state,  and 
local  government.  While  self-interest  is  a  necessity  for 
any  sovereign  country,  there  are  areas  of  cyberspace 
activity  where  prudent  measures  and  harmonized  ac¬ 
tions  work  to  the  benefit  of  international  security  and 
stability.  Toward  this  end,  the  April  2015  Department 
of  Defense  Cyber  Strategy  identifies  Europe  as  a  priority 
region  for  partnership  building  and  explicitly  calls  for 
DoD  to  "work  with  key  NATO  allies  to  mitigate  cyber 
risks  to  DoD  and  U.S.  national  interests."153 

At  the  combatant  command  level,  USEUCOM  has 
sponsored  the  annual  Exercise  Combined  Endeavor 
for  20  years  as  part  of  the  U.S.  investment  in  improved 
regional  C4  interoperability.  The  exercise  is  evolving 
to  integrate  cyber  defense  into  a  shared  mission  net¬ 
work  infrastructure  that  can  accommodate  a  "bring 
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your  own  device"  environment.154  However,  such  ex¬ 
ercises  can  only  test  capabilities  developed  and  honed 
well  in  advance.  Cooperation  among  partner  nations 
is  enhanced  through  opportunities  such  as  the  July 
2015  Cyber  Summit  sponsored  by  USAREUR,  which 
had  a  theme  that  discussed  "how  to  protect  critical 
networks  and  infrastructure,  but  still  achieve  interop¬ 
erability  with  allies  in  the  cyber  domain."155 

5.  NATO  has  established  robust  education,  training, 
and  exercise  programs  that  include  dedicated  cyber  exer¬ 
cises  as  well  as  ones  integrated  into  large-scale  exercises 
addressing  both  the  political  and  military  aspects  of  crisis 
management. 

A  thorough  education,  training,  and  exercise  pro¬ 
gram  for  cyberspace  should  address  people  and  pro¬ 
grams  at  all  levels  within  NATO.  At  the  garrison  level, 
USAREUR  has  an  excellent  awareness  and  training 
program,  available  on  their  public  website,  that  ad¬ 
dresses  information  assurance  aspects  of  cyber  secu¬ 
rity  as  well  as  operational  security  and  force  protec¬ 
tion.156  The  repository  includes  a  superb  presentation 
on  "The  Cyber  Attack  Cycle"  that  discusses  the  seven- 
step  process  of  most  cyber  attacks  developed  by  the 
Army  Provost  Marshal  General  in  collaboration  with 
the  Army  Cyber  Command.157 

With  a  solid  foundation  at  the  unit  level,  USAREUR 
forces  also  work  to  establish  tactical-level  interopera¬ 
bility  through  events  such  as  the  annual  "Stoney  Run" 
exercise  between  the  Bravo  Company,  44th  Expedi¬ 
tionary  Signal  Battalion  and  the  250  Gurkha  Signal 
Battalion.  Lessons  learned  from  NATO  support  of  the 
Afghan  Mission  Network  have  been  applied  to  devel¬ 
op  the  Army  Coalition  Mission  Environment,  which 
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will  be  integrated  into  the  Steadfast  Cobalt  15  exercise 
in  Poland.  Cooperative  efforts  between  the  USAREUR 
102nd  Signal  Battalion  and  the  282nd  Bundeswehr 
Command  Support  Battalion  strive  to  work  out  cul¬ 
tural  challenges  amongst  partner  nations  resulting 
from  differences  in  language,  planning  cycles,  and 
societal  values.158 

At  the  NATO  operational  level,  USEUCOM  con¬ 
ducts  exercises  such  as  Combined  Endeavor  2014, 
which  involved  30  nations  and  three  international 
organizations  that  spent  "three  weeks  training,  op¬ 
erating,  and  configuring  to  a  common  securable 
standard."159  In  addition  to  large-scale  exercises, 
USEUCOM  also  supports  the  education  of  key  lead¬ 
ers  within  NATO.  In  December  2014,  the  George  C. 
Marshall  Center  in  Garmish-Partenkirchen,  Germany 
conducted  its  inaugural  Program  on  Cyber  Security 
Studies  with  67  participants  from  47  countries.  These 
attendees  all  had  "professional  knowledge  and  ca¬ 
pabilities  to  deal  with  transnational  cyber  security 
challenges"  and  the  course  material  was  "tailored  for 
senior  officials  responsible  for  developing  or  influ¬ 
encing  cyber  legislation,  policies  or  practices  in  their 
countries."  As  part  of  the  agenda,  the  USEUCOM/J6, 
Brigadier  General  Welton  Chase  Jr.  "discussed  mutual 
training  opportunities  and  exercises  to  enhance  cyber 
capabilities,  interoperability  and  resiliency."160 

6.  NATO  has  done  well  to  include  industry,  partner 
countries,  and  organizations  such  as  the  EU  in  many  of 
their  cyber-related  activities. 

To  help  promulgate  partnerships  beyond  military- 
to-military  venues,  USEUCOM  developed  Cyber 
Endeavor  as  its  "paramount  cyber  security  collabora- 
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tion,  familiarization,  and  engagement  program"  that 
includes  participation  by  academia  and  industry.161 
Cyber  Endeavor  began  in  2009,  and  it  is  comprised  of 
a  series  of  regional  seminars  held  in  different  coun¬ 
tries  with  speakers  from  the  military,  academia,  and 
companies  such  as  Microsoft,  Hewlett  Packard,  Cisco, 
and  Verizon.  Cyber  Endeavor  2014  held  seminars  in 
three  NATO  countries:  the  Czech  Republic,  focused 
on  configuration  management;  Bulgaria,  focused  on 
vulnerability  management;  and  Romania,  focused 
on  boundary  defense.  The  2014  program  culminated 
with  a  capstone  seminar  in  Grafenwohr,  Germany, 
held  concurrently  with  exercise  Combined  Endeavor, 
but  separate  from  its  activities.  The  capstone  agenda 
was  split  equally  into  two  major  elements,  with  one 
half  comprised  of  presentation  and  discussions  on  the 
latest  trends  in  cyberspace  activities  and  the  other  half 
concentrated  on  hands-on  training.162 

7.  NATO  cyber  activities  have  provided  smaller  coun¬ 
tries  with  unique  leadership  roles  within  the  Alliance. 

In  general,  U.S.  engagement  with  smaller  NATO 
countries  on  cyberspace  issues  has  been  positive  and 
encouraging.  As  noted  earlier,  Cyber  Endeavor  semi¬ 
nars  have  been  conducted  in  smaller  NATO  countries 
as  well  as  Partnership  for  Peace  countries,  such  as 
Montenegro.163  The  USEUCOM  International  Cyber 
Engagement  team  recognized  the  opportunity  to  le¬ 
verage  existing  programs,  such  as  the  State  Partner¬ 
ship  Program,  to  involve  National  Guard  units  in  the 
development  of  cyber  capabilities  of  specific  nations. 
One  example  is  the  coordination  with  the  Albania  J6 
staff  and  the  New  Jersey  National  Guard  in  May  2012 
that  followed  a  successful  Cyber  Endeavor  seminar  in 
Tirana  in  March  of  that  year.164 
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There  have  been  occasions  when  the  United  States 
has  been  slower  to  participate  in  new  NATO  cyber¬ 
space  undertakings  led  by  smaller  countries.  For  ex¬ 
ample,  the  United  States  did  not  join  the  CCD  COE 
until  November  2011,  more  than  3  years  after  its 
founding  in  Estonia.165  In  addition,  there  was  no  ac¬ 
tive  U.S.  participation  in  the  MCDC  2013-2014  CICOA 
cyberspace  initiative,  although  as  noted  earlier,  the 
United  States  has  taken  a  lead  role  in  the  MCDC  2015- 
2016  MDCO  initiative.166  While  it  may  not  always  be 
possible  or  prudent  to  have  U.S.  leadership  in  every 
area  of  NATO  cyberspace  programs,  it  is  advisable 
for  USEUCOM  and  USAREUR  leadership  to  evaluate 
and  prioritize  future  NATO  engagement  opportuni¬ 
ties  promptly. 

8.  NATO  has  taken  a  lead  role  on  a  global  scale  in  es¬ 
tablishing  standards  for  legal  evaluation  of  activities  in 
cyberspace. 

The  United  States  had  an  active  role  in  the  devel¬ 
opment  and  review  of  the  original  Tallinn  Manual, 
with  Professor  Michael  Schmitt  of  the  Naval  War  Col¬ 
lege  serving  as  Director  of  The  International  Group  of 
Experts.  The  U.S.  participation  included  an  observer 
from  U.S.  Cyber  Command  and  reviewers  from  the 
Naval  Postgraduate  School  and  the  U.S.  Military 
Academy.167  Representatives  of  the  Naval  War  Col¬ 
lege  also  provide  lectures  as  part  of  the  law  courses 
offered  by  the  CCD  COE. 

The  review  of  contemporary  legal  issues  related 
to  cyberspace  continues  to  be  addressed  in  several 
Service-specific  journals  such  as  the  U.S.  Naval  War 
College  International  Law  Studies168  and  The  Air  Force 
Law  Review.169  Also,  The  Army  Cyber  Institute  at  West 
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Point  and  U.S.  Marine  Force  Cyberspace  Command 
jointly  produce  The  Cyber  Defense  Review  to  serve  "as 
the  leading  online  and  print  journal  for  issues  relat¬ 
ed  to  cyber  for  military,  industry,  professional  and 
academic  scholars,  practitioners  and  operators"  that 
addresses  topics  of  law,  ethics,  and  policy  as  well  as 
strategy,  operations,  tactics,  and  history.170 

9.  Cyberspace  efforts  must  compete  for  resources  with 
other  operations  and  initiatives  within  NATO. 

Simply  put,  cyberspace  activities  are  not  the  num¬ 
ber  one  priority  for  NATO,  and  perhaps  not  even  in 
the  top  ten.  In  his  May  2015  assessment  of  the  Wales 
Summit,  European  expert  Dr.  John  Deni  argues  that 
one  of  the  key  obstacles  facing  the  NATO  refocus  on 
core  missions  is  "the  imbalance  between  an  increasing 
number  of  missions  and  stagnating  resources."171  He 
further  warns  that  in  such  a  constrained  fiscal  envi¬ 
ronment,  "the  clear  risk  here  is  that  NATO  may  over¬ 
commit  and  over-extend  itself"  in  the  pursuit  of  six 
new  initiatives  which  do  not  include  existing  efforts  in 
cyber  security  as  well  as  those  in  energy  and  environ¬ 
mental  security.172 

Indeed,  in  his  March  2013  testimony  to  Congress, 
former  SACEUR  and  USEUCOM  commander  Admi¬ 
ral  James  Stavridis  listed  cyberspace  as  only  one  of 
six  transnational  threats,  which,  in  turn,  collectively 
comprised  the  fourth  of  his  six  theater  priorities  for 
USEUCOM.173  The  current  SACEUR,  General  Philip 
Breedlove,  in  his  2014  article  "The  New  NATO"  listed 
cyber  security  challenges  in  a  group  of  "also  need  to 
consider  threats"  toward  the  end  of  the  discussion.174 
This  is  not  to  imply  that  cyberspace  capabilities  are 
not  important  to  NATO.  Rather,  it  is  to  acknowledge 
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the  numerous  competing  tasks  facing  the  Alliance  as 
it  continues  to  evolve  in  a  complex  and  dynamic  inter¬ 
national  environment. 

The  realm  of  cyberspace  itself  will  continue  to 
change,  as  will  the  myriad  actors  that  operate  in  and 
through  it  for  purposes  related  to  all  instruments  of 
power.  NATO  cyberspace  activities  face  many  chal¬ 
lenges  that  must  be  assessed  and  prioritized  on  a 
recurring  basis  by  policymakers.  While  there  will 
always  be  room  for  improvement,  the  overall  state 
of  cyberspace  activities  within  NATO  appears  to  be 
sound.  The  continued  resourcing  for,  and  pursuit  of, 
improved  cyberspace  capabilities  by  U.S.  military 
forces  in  Europe  will  help  to  ensure  the  steady  prog¬ 
ress  of  NATO  cyberspace  endeavors. 
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2014,  available  from  cjoscoe.org/images/Legal_Questions_-_Edit.pdf, 
accessed  September  25,  2015. 

69.  NATO  Accredited  Centres  Of  Excellence  2015,  pp.  21-22.  Also 
see  the  website  of  the  Centre  of  Excellence  Defence  Against  Ter¬ 
rorism  (COE-DAT),  available  from  www.coedat.nato.int/index.html, 
accessed  September  27,  2015. 
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Centre  of  Excellence  Defence  Against  Terrorism,  November  2006, 
available  from  www.coedat.nato.int/publication/course_reports/06- 
CCT.pdf  accessed  August  9,  2015.  In  his  opening  remarks  for 
the  course,  the  Centre  of  Excellence  Defence  Against  Terrorism 
(COE-DAT)  commander  noted  the  following: 

The  topic  of  'Cyber  Terrorism'  as  an  emerging  threat  is  of 
great  importance,  and  we  hope  that  this  week  will  increase 
all  of  our  understanding  as  to  the  nature  and  severity  of  the 
threat,  and  what  we  can  do  to  reduce  this  threat.  The  Internet 
is  an  international  phenomenon,  and  any  response  to  Cyber 
Terrorism  will  be  most  effective  at  the  international  level. 
This  course  can  only  contribute  to  our  communal  response 
to  the  threat,  and  the  COE-DAT  hopes  to  identify  further 
areas  of  research  during  the  planned  Advanced  Research 
Workshop  in  'Countering  Cyber  Terrorism'  next  year. 

(pp.  2-3) 

71.  Terrorist  Use  of  Cyberspace  Course  Report,  Ankara,  Turkey: 
Centre  of  Excellence  Defence  Against  Terrorism,  May  2014,  avail¬ 
able  from  www.coedat.nato.int/publication/course_reports/ll-Terror- 
ist_Use_of_Cyberspace.pdf,  accessed  August  9,  2015.  The  report  in¬ 
cluded  an  overview  of  the  goals  and  scope  of  the  course: 

The  aim  of  the  course  was  to  emphasize  the  effects  and  role 
of  media,  especially  social  media,  as  a  strategic  communi¬ 
cations  for  terrorist  activities;  to  prospect,  list,  and  analyze 
the  current  cyberterrorism  threats,  and  comprehend  their 
specificity  in  order  to  raise  awareness  of  the  cyber  risks;  to 
discuss  proposals  of  how  specific  legal  issues  might  be  over¬ 
come  and  addressed;  to  comprehend  politics  of  cybersecu¬ 
rity  at  global,  regional  and  national  levels;  and  to  facilitate 
understanding  among  the  participants  of  why  international 
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cooperation  is  an  essential  starter  in  addressing  the  chal¬ 
lenges  that  come  from  terrorist  use  of  cyberspace. 

The  course  was  successfully  completed  accordingly  to  the 
agenda.  Eleven  lecturers  from  six  countries  and  66  attendees 
from  23  countries  participated  in  the  course,  representing 
military  institutions,  law  enforcement  agencies,  government 
departments  and  academia.  There  were  16  lectures,  two 
working  group  preparation  sessions,  two  working  group 
presentations  and  one  panel  discussion  held  throughout  the 
course,  (p.  3) 

72.  Critical  Infrastructure  Protection  against  Terrorist  Attacks, 
Ankara,  Turkey:  Centre  of  Excellence  Defence  Against  Terrorism, 
November  2014,  available  from  www.coedat.nato.int/publication/ 
course_reports/12-CIP.pdf  accessed  September  27,  2015.  In  the  sec¬ 
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tegic  Concept'  in  2010,  and  revised  it  in  2011,  to  further 
develop  its  ability  to  prevent,  detect,  defend  against  and  re¬ 
cover  from  cyber-attacks  by  expanding  its  capacity  in  cyber¬ 
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rity  standard  about  those  national  cyber-systems,  which 
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ernment,  the  private  sector,  citizens,  and  other  international 
partners.  It  will  never  be  possible  to  stop  all  terrorist  attacks. 
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73.  Allied  Joint  Publication  (AJP)-Ol(D),  Allied  Joint  Doctrine, 
Brussels,  Belgium:  NATO  Standardization  Office,  December 
2010,  available  from  nso.nato.int/nso/zpublic/ap/ajp-01(d).pdf,  ac- 
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cessed  September  28,  2015.  Per  paragraph  0509  (p.  5-2),  the  focus 
of  military  operations  aspect  remains  focused  on  information  op¬ 
erations,  of  which  cyber  is  a  subset,  as  one  of  the  seven  principal 
joint  functions  for  a  commander  to  utilize  (the  others  are  Manoeu¬ 
vre  and  Fires;  Command  and  Control;  Intelligence;  Sustainability; 
Force  Protections;  and  Civil  Military  Co-operation).  The  follow¬ 
ing  are  cyberspace-related  excerpts  from  the  document: 

The  security  challenges  now  facing  NATO,  which  extend 
beyond  its  traditional  area  of  responsibility,  include  areas 
such  as  missile  defence  and  cyber-operations,  (p.  2-1,  para. 
0203) 

In  addition,  the  Alliance's  growing  reliance  on  information 
and  information  systems  creates  vulnerability  to  cyber  at¬ 
tack,  which  may  reduce  or  cancel  NATO's  superiority  in 
conventional  weaponry,  (p.  2-3,  para.  0210) 

One  of  the  key  contemporary  challenges  within  the  realms 
of  protection  is  defensive  information  operations,  specifi¬ 
cally  cyber,  communications  and  command  and  control  sys¬ 
tems'  protections.  This  is  an  area  of  increasing  vulnerability, 
directly  proportional  to  NATO's  levels  of  dependence  on 
such  systems,  (p.  5-14,  para.  0533) 

74.  Allied  Joint  Publication  (AJP)-6,  Allied  Joint  Doctrine  for 
Communication  and  Information  Systems,  Brussels,  Belgium:  NATO 
Standardization  Office,  April  6,  2011,  available  from  nso.nato.int/ 
nso/zPublic/ap/ajp-6.pdf,  accessed  September  27,  2015.  Information 
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authentication,  confidentiality,  and  non-repudiation  of  informa¬ 
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Information  assurance  requires  management  processes  to 
ensure  the  systems  and  networks  employed  to  manage  the 
critical  information  used  by  an  organization  are  reliable  and 
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licious  activity.  Information  assurance  includes  elements  of 
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and  information  security.  This  includes  a  range  of  electronic 
techniques  such  as  communications  security  (COMSEC), 
incorporating  emission  control  (EMCON)  and  emission 
security,  computer  security  (COMPUSEC),  transmission  se¬ 
curity,  defensive  monitoring  and  technical  inspection  tech- 
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niques,  counter-eavesdropping,  limited  electronic  sweeps, 
and  vulnerability  analysis.  COMSEC  and  COMPUSEC  are 
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considered  throughout  planning  and  execution.  Informa¬ 
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valid  information  is  available  to  authorized  users,  and  pre¬ 
venting  valid  information  from  being  available  to  unauthor¬ 
ized  persons.  The  degree  of  security  provided  must  be  con¬ 
sistent  with  the  requirements  of  CIS  users,  the  vulnerability 
of  transmission  media  to  interception  and  exploitation,  and 
the  reliability  and  releasability  of  COMSEC  hardware  and 
software.4  Information  assurance  is  the  protection  and  de¬ 
fence  of  information  and  information  systems  by  ensuring 
their  availability,  integrity,  authentication,  confidentiality, 
and  non-repudiation,  (p.  1-4,  para.  0103.f.) 
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0114.b.(3)) 
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This  AJP  describes  the  fundamental  operational  aspects  of 
joint  operations  and  provides  guidance  on  the  conduct  of 
joint  operations  at  the  operational  level.  These  operations 
are  complex  and  contain  all  the  different  tasks  that  span  the 
range  of  military  operations,  from  humanitarian  assistance 
to  combat.  Most  operations  will  take  place  in  all  environ¬ 
ments  (maritime,  land,  air  and  space,  information  including 
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cyberspace)  while  some  will  predominantly  favour  a  single 
one,  such  as  maritime. 

77.  Ibid.,  p.  1-26.  The  Joint  Force  Commander's  establishing 
directive  is  described  in  para.  192: 

These  directives  are  essentially  an  order  that  specifies  the 
purpose  of  the  support  relationship,  the  effect  desired  and 
the  scope  of  action  to  be  taken  and  should  include,  but  is  not 
limited  to  the  following: 

f.  Establishment  of  air,  sea,  and  ground  manoeuvre 
control  measures  and  cyberspace  operations 
protocols. 

78.  Ibid.,  p.  4-3.  Para.  0410  clearly  implies  that  cyberspace  is 
part  of  the  information  environment: 

The  operating  environment  includes  the  sea,  land,  air  and 
space  the  adversary,  neutral  and  friendly  actors,  facilities, 
weather,  terrain,  electromagnetic  spectrum  (EMS),  and  the 
information  environment,  which  includes  cyberspace,  with¬ 
in  the  JO  A  and  areas  of  interest. 

79.  Hutson,  p.  36.  The  author  notes  some  current  inconsisten¬ 
cy  with  regard  to  NATO  cyber  defense  (CD)  doctrine: 

There  is  little  to  no  NATO  CD  specific  doctrine,  much  less 
agreed  cyber  related  definitions  or  taxonomy  for  cyber  for 
the  deployed  Commander.  This  lack  of  doctrine,  however, 
is  made  more  problematic  by  the  fact  that  there  is  approved 
NATO  Doctrine  for  Computer  Network  Operations  (CNO) 
and  Computer  Network  Defence  (CND)  in  the  context  of  In¬ 
formation  Operations  Doctrine  (AJP  3.10),  and  for  Informa¬ 
tion  Assurance  within  the  context  of  the  AJP-6  series  -  both 
of  which  are  not  always  consistent  with  approved  NATO 
CD  policy  and  developing  NATO  cyber  taxonomy. 

80.  Ibid.,  p.  39. 

81.  Ibid.,  p.  37. 

82.  See  the  "About"  page,  "NATO  Communications  and  In¬ 
formation  Agency,"  NCI  Agency  official  website. 
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83.  "NATO  launches  Industry  Cyber  Partnership,"  NATO 
News  official  website,  last  updated  September  17,  2014,  available 
from  nato.int/cps/en/natolive/news_113121.htm?selectedLocale=en, 
accessed  September  17,  2015. 

84.  "Our  objectives  and  principles,"  NATO  Industry  Cyber 
Partnership  official  website,  available  from  www.nicp.nato.int/ob- 
jectives-and-principles/index.html,  accessed  September  17,  2015.  The 
specific  objectives  of  the  NICP  are  listed  as: 

As  part  of  NATO's  efforts  to  strengthen  its  cyber  defence, 

the  NATO  Industry  Cyber  Partnership  will  have  the  follow¬ 
ing  objectives: 

•  Improve  cyber  defence  in  NATO's  defence  supply  chain; 

•  Facilitate  participation  of  industry  in  multinational  Smart 
Defence  projects; 

•  Contribute  to  the  Alliance's  efforts  in  cyber  defence  edu¬ 
cation,  training  and  exercises; 

•  Improve  sharing  of  best  practices  and  expertise  on  pre¬ 
paredness  and  recovery  (to  include  technology  trends); 

•  Build  on  existing  NATO  initiatives  for  industry  engage¬ 
ment,  providing  specific  focus  and  coherence  on  the  cy¬ 
ber  aspects; 

•  Improve  sharing  of  expertise,  information  and  experi¬ 
ence  of  operating  under  the  constant  threat  of  cyber  at¬ 
tack,  including  information  on  threats  and  vulnerabili¬ 
ties,  e.g.  malware  information  sharing; 

•  Help  NATO  and  Allies  to  learn  from  industry; 

•  Facilitate  access  by  Allies  to  a  network  of  trusted  indus¬ 
try/  enterprises; 

•  Raise  awareness  and  improve  the  understanding  of  cy¬ 
ber  risks; 

•  Help  build  access  and  trust  between  NATO  and  the  pri¬ 
vate  sector; 

•  Leverage  private  sector  developments  for  capability  de¬ 
velopment,  and; 

•  Generate  efficient  and  adequate  support  in  case  of  cyber 
incidents. 
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85.  Industry  Cyber  Security  Information  Sharing  at  the  Technical 
Level  Guidelines  Revision  1,  Brussels,  Belgium:  NATO  Communica¬ 
tion  and  Information  Agency,  March  28,  2014.  The  Introduction 
section  (p.  1)  of  these  guidelines  outlines  the  motivation  for  creat¬ 
ing  an  effective  working  relationship: 

NATO  and  industry  working  with  NATO  continue  to  face 
increasing  risks  that  Information  exchanged  or  stored  on 
their  networks  and  systems  can  be  accessed,  affected  or  in¬ 
fected  through  malicious  cyber  acts  thereby  causing  damage 
to  the  Alliance  and  its  Members.  NATO  and  industry  need 
to  be  able  to  prevent  and  counter  such  threats  and  to  analyse 
and  share  data  in  order  to  understand  the  nature,  extent  and 
possible  sources  of  such  incidents  and  to  react  to  threats. 

The  NATO  Communications  and  Information  Agency  (NCI 
Agency)  is  responsible  for  identifying  and  promoting  the 
development  of  essential  capabilities  that  meet  NATO's 
and  its  Member  Nations'  needs  in  ensuring  cyber  safety  and 
security.  NATO  capabilities  to  identify,  prevent,  detect  and 
respond  to  external  threats  to  NATO  CIS  infrastructure  are 
primarily  performed  by  the  NCI  Agency  NATO  Computer 
Incident  Response  Capability  Technical  Centre  (NCIRC  TC). 

With  these  Guidelines,  the  NCI  Agency  implements  a  vol¬ 
untary  bilateral  Cyber  Information  Sharing  Programme 
which  will  allow  industry  working  with  NATO  and  NATO 
to  share  cyber  security  Information  in  order  to  mutually 
enhance  situational  awareness  and  the  protection  of  their 
networks  and  systems. 

86.  "NCI  Agency  Pilot  Project  Reveals  Key  Lesson  on  Strength¬ 
ening  NATO  Cyber  Defence,"  NATO  Industry  Cyber  Partnership 
official  website,  September  9,  2015,  available  from  ncia.nato.int/ 
NewsRoom/Pages/150909-Cyber-Incubator.aspx,  accessed  September 
17,  2015.  The  article  included  a  summary  of  the  goals  of  the  Cyber 
Security  Incubator  Pilot  Project: 

The  NCI  Agency  developed  the  cyber  security  incubator 
concept  with  the  aim  of  exploring  a  new  model  for  coop¬ 
eration  between  NATO  and  industry  partners  that  could 
decrease  the  time  to  develop  responses  to  NATO's  cyber 
security  challenges.  The  incubator  pilot  project  identified  an 
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approach  to  bring  rapid  results  from  academia  and  industry 
to  NATO,  and  discussions  are  underway  to  determine  how 
this  framework  could  be  extended  to  integrate  these  ideas 
into  NATO's  IT  environment  in  a  timeframe  that  keeps  pace 
with  evolving  cyber  threats.  This  is  likely  to  be  the  target  of 
a  second  stage  of  the  incubator,  (p.  2) 

87.  "NCI  Agency  and  Microsoft  sign  cyber  cooperation 
agreement,"  NATO  Industry  Cyber  Partnership  official  web¬ 
site,  September  14,  2015,  available  from  ncia.nato.int/NewsRoom/ 
Pages/150914-NClAgency-Microsoft-GSP.aspx,  accessed  on  Septem¬ 
ber  17,  2015.  The  agreement  also  includes  details  regarding  intel¬ 
ligence  sharing: 

The  agreement  expands  technical  information  sharing  be¬ 
tween  Microsoft,  other  GSP  parties  and  the  NCI  Agency. 

The  NCI  Agency  will  gain  access  to  technical  information, 
and  documentation  about  Microsoft  products  and  services, 
as  well  as  information  about  internet  safety,  threat  intelli¬ 
gence,  online  training  tools  and  guidance  to  help  mitigate 
the  effects  of  cyberattacks  across  the  region.  A  practical 
effect  will  be,  for  instance  that  Microsoft  will  provide  the 
Agency  with  data  about  hosts  that  have  been  infected  with 
botnet  exploits,  and  the  Agency  will  be  able  use  this  data 
to  identify  and  remediate  potential  vulnerabilities  in  these 
systems,  (p.  1) 

88.  Siw  Tynes  Johnsen,  "Norway  co-leading  the  multi-nation¬ 
al  project  on  cyber  defence  and  operational  planning,"  The  Three 
Swords:  The  Magazine  of  the  Joint  Warfare  Centre,  No.  26,  May  2014, 
pp.  46-47. 


89.  Multinational  Capability  Development  Campaign,  MCDC 
2013-2014  Catalog  of  Products,  All  Partners  Access  Network,  p.  2, 
available  from  https://wss.apan.Org/s/MEpub/default.aspx,  accessed 
September  15,  2015.  The  expected  outcomes  of  MCDC  2013-2014 
are  summarized  as: 

MCDC  2013-2014  Focus  Area  results  described  in  this  sum¬ 
mary  have  the  potential  to  significantly  enhance  both  coali¬ 
tion  and  national  operating  capabilities  while  narrowing 
known  gaps.  This  latest  campaign  served  to  increase  collec¬ 
tive  understanding  within  each  of  the  separate  domains  and 
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provided  the  opportunity  to  further  explore  the  nature  of 
their  interconnectedness.  The  products  developed  provide 
a  common  foundation  for  national  and  organizational  ca¬ 
pability  development  in  the  areas  of  doctrine,  organization, 
training,  materiel,  leadership  education,  personnel,  facili¬ 
ties,  and  policy,  (p.  i) 

90.  Ibid.,  p.  2.  The  other  six  Focus  Areas  of  the  projects  were: 
Combined  Operational  Fires;  Combined  Operations  from  the 
Sea  Through  the  Littoral;  Maritime  Approach  to  Combined  Op¬ 
erational  Access;  Role  of  Autonomous  Systems  in  Gaining  Opera¬ 
tional  Access;  Strategic  Communication  in  Combined  Operation¬ 
al  Access-Information  Activities  and  Emerging  Communication 
Practices;  and  Understand  to  Prevent.  Contributing  countries 
to  the  Cyber  Implications  for  Combined  Operational  Access 
(CICOA)  work  were:  Austria,  Canada,  Finland,  Hungary,  Neth¬ 
erlands,  Poland,  Spain,  Sweden,  Switzerland,  and  U.K.  as  well 
as  organizations  of  the  European  Union  and  NATO  ACT.  The 
CICOA  problem  statement  was: 

This  Focus  Area  will  seek  to  continue  these  efforts  by  work¬ 
ing  to  integrate  cyber  into  the  multinational  planning  pro¬ 
cesses.  Operational  planning  requires  an  understanding  of 
cyberspace,  however  planners,  and  commanders,  do  not 
have  clear  cyber  situational  awareness.  In  spite  of  the  impor¬ 
tance  of  cyber  aspects  for  combined  joint  operational  access, 
they  are  not  addressed  in  the  multinational  operations  plan¬ 
ning  processes,  such  as  the  COPD.  The  integration  of  cyber 
into  the  planning  process  can  be  supported  by  procedural 
and  technical  capabilities/ solutions  in  order  to  facilitate  the 
commander's  assessment,  (p.  11) 

91.  Ibid.,  pp.  12-14. 

92.  Multinational  Capability  Development  Campaign,  MCDC 
2015-16  Information  Paper,  July  6,  2015,  available  from  https:// 
wss.apan.org/  s/MCDCpub/MCDC_2015_16/ default.aspx,  ac¬ 
cessed  September  28,  2015.  Participating  countries  for  the  MDCO 
are:  Austria,  Canada,  Finland,  Hungary,  Netherlands,  Norway, 
Poland,  Spain,  Sweden,  Switzerland,  and  U.K.  as  well  as  organi¬ 
zations  of  the  European  Union  and  NATO  ACT.  Also,  Denmark, 
Germany,  and  Japan  are  observers. 
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93.  "Rome  Atlantic  Forum  -  'NATO  and  the  Future  of  Cyber 
Security',"  NATO  Defense  College  website,  December  2,  2013, 
available  from  www.ndc.nato.int/news/news.php?icode=612,  ac¬ 
cessed  September  29,  2015.  The  purpose  of  the  forum  was  sum¬ 
marized  as: 

The  aim  of  this  event  was  to  promote  discussion  and  re¬ 
search  on  a  security  issue  relevant  not  only  to  NATO,  but  to 
the  international  security  community  as  a  whole:  cyber  se¬ 
curity,  and  NATO's  approach  to  dealing  with  cyber  threats. 

As  stressed  by  the  IAC  [Italian  Atlantic  Committee]  and  the 
ATA  [Atlantic  Treaty  Association]:  'Among  the  emerging 
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APPENDIX 


SUMMARY  OF  CYBER-RELATED  MATERIAL 
IN  DECLARATIONS  FROM  RECENT  NORTH 
ATLANTIC  TREATY  ORGANIZATION  (NATO) 
NORTH  ATLANTIC  COUNCIL  MEETINGS 


NATO  North 

Atlantic  Council 
Meeting 

Key  Cyberspace-Related  Text  in  Summit  Declaration 

Prague,  Czech 
Republic 

November  21,  2002 

4.  Effective  military  forces,  an  essential  part  of  our  overall  political  strategy, 
are  vital  to  safeguard  the  freedom  and  security  of  our  populations  and 
to  contribute  to  peace  and  security  in  the  Euro-Atlantic  region.  We  have 
therefore  decided  to: 

f.  Strengthen  our  capabilities  to  defend  against  cyber  attacks.1 

Istanbul,  Turkey 
June  28,  2004 

No  mention  of  cyber  in  declaration. 

Brussels,  Belgium 
February  25,  2005 

No  mention  of  cyber  in  declaration. 

Riga,  Latvia 
November  29,  2006 

The  adaptation  of  our  forces  must  continue.  We  have  endorsed  a  set  of 
initiatives  to  increase  the  capacity  of  our  forces  to  address  contemporary 
threats  and  challenges.  These  include: 

•  work  to  develop  a  NATO  Network  Enabled  Capability  to  share  informa¬ 
tion,  data  and  intelligence  reliably,  securely  and  without  delay  in  Al¬ 
liance  operations,  while  improving  protection  of  our  key  information 
systems  against  cyber  attack2 

Bucharest,  Hungary 
April  3,  2008 

47.  NATO  remains  committed  to  strengthening  key  Alliance  information 
systems  against  cyber  attacks.  We  have  recently  adopted  a  Policy  on  Cyber 
Defence,  and  are  developing  the  structures  and  authorities  to  carry  it  out. 

Our  Policy  on  Cyber  Defence  emphasises  the  need  for  NATO  and  nations 
to  protect  key  information  systems  in  accordance  with  their  respective 
responsibilities;  share  best  practices;  and  provide  a  capability  to  assist 

Allied  nations,  upon  request,  to  counter  a  cyber  attack.  We  look  forward 
to  continuing  the  development  of  NATO’s  cyber  defence  capabilities  and 
strengthening  the  linkages  between  NATO  and  national  authorities.3 
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Key  Cyberspace-Related  Text  in  Summit  Declaration 

Strasbourg-Kehl, 
France/Germany 
April  2-3,  2009 

49.  We  remain  committed  to  strengthening  communication  and  information 
systems  that  are  of  critical  importance  to  the  Alliance  against  cyber  attacks, 
as  state  and  non-state  actors  may  try  to  exploit  the  Alliance’s  and  Allies’ 
growing  reliance  on  these  systems.  To  prevent  and  respond  to  such  attacks, 
in  line  with  our  agreed  Policy  on  Cyber  Defence,  we  have  established 
a  NATO  Cyber  Defence  Management  Authority,  improved  the  existing 
Computer  Incident  Response  Capability,  and  activated  the  Cooperative 

Cyber  Defence  Centre  of  Excellence  in  Estonia.  We  will  accelerate  our  cyber 
defence  capabilities  in  order  to  achieve  full  readiness.  Cyber  defence  is  being 
made  an  integral  part  of  NATO  exercises.  We  are  further  strengthening  the 
linkages  between  NATO  and  Partner  countries  on  protection  against  cyber 
attacks.  In  this  vein,  we  have  developed  a  framework  for  cooperation  on 
cyber  defence  between  NATO  and  Partner  countries,  and  acknowledge  the 
need  to  cooperate  with  international  organisations,  as  appropriate.4 

Lisbon,  Portugal 
November  20,  2010 

40.  Cyber  threats  are  rapidly  increasing  and  evolving  in  sophistication.  In 
order  to  ensure  NATO’s  permanent  and  unfettered  access  to  cyberspace 
and  integrity  of  its  critical  systems,  we  will  take  into  account  the  cyber 
dimension  of  modern  conflicts  in  NATO’s  doctrine  and  improve  its 
capabilities  to  detect,  assess,  prevent,  defend  and  recover  in  case  of  a  cyber 
attack  against  systems  of  critical  importance  to  the  Alliance.  We  will  strive 
in  particular  to  accelerate  NATO  Computer  Incident  Response  Capability 
(NCIRC)  to  Full  Operational  Capability  (FOC)  by  2012  and  the  bringing  of 
all  NATO  bodies  under  centralised  cyber  protection.  We  will  use  NATO’s 
defence  planning  processes  in  order  to  promote  the  development  of  Allies’ 
cyber  defence  capabilities,  to  assist  individual  Allies  upon  request,  and  to 
optimise  information  sharing,  collaboration  and  interoperability.  To  address 
the  security  risks  emanating  from  cyberspace,  we  will  work  closely  with 
other  actors,  such  as  the  UN  and  the  EU,  as  agreed.  We  have  tasked  the 
Council  to  develop,  drawing  notably  on  existing  international  structures 
and  on  the  basis  of  a  review  of  our  current  policy,  a  NATO  in-depth 
cyber  defence  policy  by  June  201 1  and  to  prepare  an  action  plan  for  its 
implementation.5 
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49.  Cyber  attacks  continue  to  increase  significantly  in  number  and 
evolve  in  sophistication  and  complexity.  We  reaffirm  the  cyber  defence 
commitments  made  at  the  Lisbon  Summit.  Following  Lisbon,  last  year 
we  adopted  a  Cyber  Defence  Concept,  Policy,  and  Action  Plan,  which  [is] 
now  being  implemented.  Building  on  NATO’s  existing  capabilities,  the 
critical  elements  of  the  NATO  Computer  Incident  Response  Capability 
(NCIRC)  Full  Operational  Capability  (FOC),  including  protection  of  most 
sites  and  users,  will  be  in  place  by  the  end  of  2012.  We  have  committed 
to  provide  the  resources  and  complete  the  necessary  reforms  to  bring  all 
NATO  bodies  under  centralised  cyber  protection,  to  ensure  that  enhanced 
cyber  defence  capabilities  protect  our  collective  investment  in  NATO.  We 
will  further  integrate  cyber  defence  measures  into  Alliance  structures  and 
procedures  and,  as  individual  nations,  we  remain  committed  to  identifying 
and  delivering  national  cyber  defence  capabilities  that  strengthen  Alliance 
collaboration  and  interoperability,  including  through  NATO  defence  planning 
processes.  We  will  develop  further  our  ability  to  prevent,  detect,  defend 
against,  and  recover  from  cyber  attacks.  To  address  the  cyber  security 
threats  and  to  improve  our  common  security,  we  are  committed  to  engage 
with  relevant  partner  nations  on  a  case-by-case  basis  and  with  international 
organisations,  inter  alia  the  EU,  as  agreed,  the  Council  of  Europe,  the  UN 
and  the  OSCE,  in  order  to  increase  concrete  cooperation.  We  will  also  take 
full  advantage  of  the  expertise  offered  by  the  Cooperative  Cyber  Defence 
Centre  of  Excellence  in  Estonia.6 
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72.  As  the  Alliance  looks  to  the  future,  cyber  threats  and  attacks  will 
continue  to  become  more  common,  sophisticated,  and  potentially 
damaging.  To  face  this  evolving  challenge,  we  have  endorsed  an  Enhanced 
Cyber  Defence  Policy,  contributing  to  the  fulfillment  of  the  Alliance’s  core 
tasks.  The  policy  reaffirms  the  principles  of  the  indivisibility  of  Allied  security 
and  of  prevention,  detection,  resilience,  recovery,  and  defence.  It  recalls  that 
the  fundamental  cyber  defence  responsibility  of  NATO  is  to  defend  its  own 
networks,  and  that  assistance  to  Allies  should  be  addressed  in  accordance 
with  the  spirit  of  solidarity,  emphasizing  the  responsibility  of  Allies  to 
develop  the  relevant  capabilities  for  the  protection  of  national  networks. 

Our  policy  also  recognises  that  international  law,  including  international 
humanitarian  law  and  the  UN  Charter,  applies  in  cyberspace.  Cyber  attacks 
can  reach  a  threshold  that  threatens  national  and  Euro-Atlantic  prosperity, 
security,  and  stability.  Their  impact  could  be  as  harmful  to  modern  societies 
as  a  conventional  attack.  We  affirm  therefore  that  cyber  defence  is  part  of 
NATO’s  core  task  of  collective  defence.  A  decision  as  to  when  a  cyber  attack 
would  lead  to  the  invocation  of  Article  5  would  be  taken  by  the  North  Atlantic 
Council  on  a  case-by-case  basis. 

73.  We  are  committed  to  developing  further  our  national  cyber  defence 
capabilities,  and  we  will  enhance  the  cyber  security  of  national  networks 
upon  which  NATO  depends  for  its  core  tasks,  in  order  to  help  make  the 
Alliance  resilient  and  fully  protected.  Close  bilateral  and  multinational 
cooperation  plays  a  key  role  in  enhancing  the  cyber  defence  capabilities 
of  the  Alliance.  We  will  continue  to  integrate  cyber  defence  into  NATO 
operations  and  operational  and  contingency  planning,  and  enhance 
information  sharing  and  situational  awareness  among  Allies.  Strong 
partnerships  play  a  key  role  in  addressing  cyber  threats  and  risks.  We  will 
therefore  continue  to  engage  actively  on  cyber  issues  with  relevant  partner 
nations  on  a  case-by-case  basis  and  with  other  international  organisations, 
including  the  EU,  as  agreed,  and  will  intensify  our  cooperation  with  industry 
through  a  NATO  Industry  Cyber  Partnership.  Technological  innovations  and 
expertise  from  the  private  sector  are  crucial  to  enable  NATO  and  Allies  to 
achieve  the  Enhanced  Cyber  Defence  Policy’s  objectives.  We  will  improve 
the  level  of  NATO’s  cyber  defence  education,  training,  and  exercise  activities. 
We  will  develop  the  NATO  cyber  range  capability,  building,  as  a  first  step, 

on  the  Estonian  cyber  range  capability,  while  taking  into  consideration  the 
capabilities  and  requirements  of  the  NATO  CIS  School  and  other  NATO 
training  and  education  bodies.7 
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